OOTB Rules

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your Application Security Management library, and the Agent, depending on your configuration. For more information, see the Detection Rules documentation.

Click on the buttons below to filter by different parts of Datadog Security. OOTB rules are available for Cloud SIEM, Posture Management, which is divided into cloud or infrastructure configuration, Workload Security, and Application Security Management.

azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD Identity Protection risky user
azure Azure AD Login Without MFA
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD Privileged Identity Management member assigned
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Login Explicitly Denied MFA
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure Azure user invited an external user
azure Azure user ran command on container instance
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
azure.activity_log
Azure.Activity Log
>
azure.activity_log User has 'Create or Update Load Balancer' activity log alert configured
azure.activity_log User has 'Create or Update Network Security Group' activity log alert configured
azure.activity_log User has 'Create or Update Security Solutions' activity log alert configured
azure.activity_log User has 'Create or Update SQL Server Firewall Rule' activity log alert configured
azure.activity_log User has 'Create or Update Storage Accounts' activity log alert configured
azure.activity_log User has 'Create or Update Virtual Machines' activity log alert configured
azure.activity_log User has 'Create Policy Assignment' activity log alert configured
azure.activity_log User has 'Create Update Azure SQL Database' activity log alert configured
azure.activity_log User has 'Create Update MySQL Database' activity log alert configured
azure.activity_log User has 'Create Update PostgreSQL Database' activity log alert configured
azure.activity_log User has 'Deallocate Virtual Machines' activity log alert configured
azure.activity_log User has 'Delete Azure SQL Database' activity log alert configured
azure.activity_log User has 'Delete Key Vault' activity log alert configured
azure.activity_log User has 'Delete Load Balancer' activity log alert configured
azure.activity_log User has 'Delete MySQL Database' activity log alert configured
azure.activity_log User has 'Delete Network Security Group' activity log alert configured
azure.activity_log User has 'Delete Policy Assignment' activity log alert configured
azure.activity_log User has 'Delete PostgreSQL Database' activity log alert configured
azure.activity_log User has 'Delete Security Solution' activity log alert configured
azure.activity_log User has 'Delete SQL Server Firewall Rule' activity log alert configured
azure.activity_log User has 'Delete Storage Accounts' activity log alert configured
azure.activity_log User has 'Delete Virtual Machines' activity log alert configured
azure.activity_log User has 'Power Off Virtual Machine' activity log alert configured
azure.activity_log User has 'Rename Azure SQL Database' activity log alert configured
azure.activity_log User has 'Update Key Vault' activity log alert configured
azure.activity_log User has 'Update Security Policy' activity log alert configured
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail At least one CloudTrail trail is multi-region per AWS account
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS Console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM policy changed
cloudtrail AWS IAM privileged policy was applied to a group
cloudtrail AWS IAM privileged policy was applied to a role
cloudtrail AWS IAM privileged policy was applied to a user
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log Deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail global services are enabled
cloudtrail CloudTrail log file validation is enabled
cloudtrail CloudTrail logs are encrypted at rest using KMS CMKs
cloudtrail CloudTrail logs S3 bucket is inaccessible over the public internet
cloudtrail CloudTrail trails are integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Compromised AWS IAM User Access Key
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging is enabled for S3 bucket read events
cloudtrail Object-level logging is enabled for S3 bucket write events
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS IAM CreateLoginProfile
cloudtrail Possible RDS Snapshot Exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail S3 bucket access logging is enabled on the CloudTrail S3 bucket
cloudtrail Security group open to the world
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantineV2 has been attached
cloudtrail Tor client IP address identified within AWS environment
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
cloudtrail User travel was impossible in AWS CloudTrail IAM log
docker
Docker
>
docker All Docker swarm overlay networks are encrypted
docker Auditing for Docker Daemon executable is configured
docker Auditing for Docker local storage is configured
docker Auditing for the containerd executable is configured
docker Auditing for the default Docker configuration file is configured
docker Auditing for the default Docker configuration file is configured - RHEL
docker Auditing for the Docker daemon configuration file is configured
docker Auditing for the docker.service file is configured
docker Auditing for the docker.socket file is configured
docker Auditing for the runc executable is configured
docker Auditing is configured for Docker-related files
docker Authorization for Docker client commands is enabled
docker Base device size set to default value (10 GB)
docker CA certificates are rotated as appropriate
docker Centralized and remote logging is configured
docker Configure applicable cluster role-based access control policies
docker Configure the LDAP authentication service
docker Container has memory usage limits configured
docker Container health is always monitored
docker Container host has been hardened
docker Container image includes HealthCheck instructions
docker Container is restricted from acquiring additional privileges
docker Container root file system is set to read-only
docker Container sprawl is avoided
docker Container's PIDs cgroup limit parameter is set
docker Containers are restricted from acquiring new privileges
docker Containers have an AppArmor profile enabled
docker Containers only run in non-privileged mode
docker Containers prohibit Docker socket mounting
docker Containers run using non-root user accounts
docker Containers use a non-default bridge network.
docker Containers use only trusted base images
docker Containers use the cgroup configured in Docker
docker Content trust for Docker is enabled
docker COPY is used instead of ADD in Dockerfiles
docker CPU priorities are set to ensure critical containers remain responsive
docker Daemon-wide custom seccomp profile is applied if appropriate
docker Default cgroup usage has been confirmed
docker Default Docker configuration file can only be altered by owners
docker Default Docker configuration file can only be altered by owners - RHEL
docker Default Docker configuration file is owned by the root account and group
docker Default Docker configuration file is owned by the root account and group - RHEL
docker Default ulimit is configured appropriately
docker Default ulimit is overwritten at runtime if needed
docker Docker commands always make use of the latest version of their image
docker Docker daemon logging level is set to 'info'
docker Docker exec commands are used with a non-root user option
docker Docker exec commands are used without the privileged option
docker Docker is authorized to make firewall configuration changes
docker Docker local storage is mounted on a separate disk partition
docker Docker related files are owned by the root account and group
docker Docker related files can only be altered by owners
docker Docker server certificate file permissions are set to read-only or more restrictive
docker Docker uses a storage driver other than AUFS
docker Docker version is up to date
docker Docker's secret management commands are used for managing secrets in a swarm cluster
docker Dockerfile is free of stored secrets
docker Dockerfile is void of any update instructions
docker Enable image vulnerability scanning
docker Enable signed image enforcement
docker Enable user namespace support
docker Enforce the use of client certificate bundles for unprivileged users
docker Experimental features are disabled in production
docker Host devices are hidden from containers
docker Host's IPC namespace is isolated from containers
docker Host's network namespace is hidden from containers
docker Host's process namespace is isolated from containers
docker Image sprawl is avoided
docker Images are scanned and rebuilt to include security patches
docker Incoming container traffic is bound to a specific host interface
docker Linux kernel capabilities are restricted to only those which are required
docker Live restore is enabled
docker Management plane traffic is separated from data plane traffic
docker Mapping of privileged ports within containers is restricted
docker Minimum number of manager nodes have been created in a swarm
docker Mount propagation mode is always set to a non-shared option
docker Network traffic is restricted between containers on the default network bridge
docker Node certificates are rotated as appropriate
docker Only necessary packages are installed in the container
docker Only needed ports are open on the container
docker Only the owner of the server certificate key file can read its contents
docker Only the root account and Docker group members can control the Docker daemon
docker Only the root account and Docker group members can read and write to the Docker socket file
docker Only the root account and Docker group members have ownership of the Docker socket file
docker Only the root account and group have ownership of the daemon.json file
docker Only the root account and group have ownership of the Docker server certificate file
docker Only the root account and group have ownership of the Docker server certificate key file
docker Only the root account and group have ownership of the docker.service file
docker Only the root account and group have ownership of the TLS CA certificate file
docker Only the root account and group have ownership over the docker.socket file
docker Only the root account and group have ownership over the registry certificate file
docker Only the root account has write permissions to the daemon.json file
docker Only the root account has write permissions to the docker.service file
docker Only the root account has write permissions to the docker.socket file
docker Only verified packages are are installed
docker Private registry uses TLS encryption
docker Registry certificate file permissions are set to read-only or more restrictive
docker Restart attempts on container failure is limited to 5 attempts
docker Seccomp profiles are enabled for filtering incoming system calls
docker SELinux security options are configured
docker Sensitive host system directories are not mounted on containers
docker Set the "Lifetime Minutes" and "Renewal Threshold Minutes" values to '15' or lower and '0' respectively
docker Set the per-user session limit to a value of '3' or lower
docker setuid and setgid permissions are removed
docker sshd is disabled in containers
docker Swarm manager auto-lock key is rotated periodically
docker Swarm manager is run in auto-lock mode
docker Swarm mode is disabled
docker Swarm services are bound to a specific host interface
docker TLS authentication is configured for Docker daemon
docker TLS CA certificate file permissions are set to read-only or more restrictive
docker Use external certificates
docker User namespaces isolated between host and containers
docker Userland Proxy is Disabled
docker UTS Namespace is only allocated to the Host
gcp
GCP
>
gcp Access denied for Google Cloud Service Account
gcp Anomalous number of Google Cloud Compute GPU virtual machines created
gcp Anomalous number of Google Cloud Storage Buckets Accessed
gcp Anomalous number of Google Cloud Storage Objects Accessed
gcp Anomalous number of Google Compute Engine instances created in multiple zones by user
gcp Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
gcp Google App Engine service account used outside of Google Cloud
gcp Google Cloud BigQuery - query results saved to cloud storage
gcp Google Cloud BigQuery - query results saved to new table
gcp Google Cloud BigQuery results saved to cloud storage by a previously unseen user
gcp Google Cloud Compute Engine GPU virtual machine instance created
gcp Google Cloud GCE instance startup script added or modified
gcp Google Cloud IAM policy modified
gcp Google Cloud IAM role created
gcp Google Cloud IAM Role updated
gcp Google Cloud Logging Bucket deleted
gcp Google Cloud logging sink modified
gcp Google Cloud Project external principal added as project owner
gcp Google Cloud Pub/Sub Subscriber modified
gcp Google Cloud Pub/Sub topic deleted
gcp Google Cloud Service Account accessing anomalous number of Google Cloud APIs
gcp Google Cloud Service Account created
gcp Google Cloud Service Account Impersonation activity using access token generation
gcp Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
gcp Google Cloud Service Account key created
gcp Google Cloud SQL database modified
gcp Google Cloud SQL instance data exported to cloud storage
gcp Google Cloud SQL instance data exported to cloud storage by a previously unseen user
gcp Google Cloud Storage Bucket contents downloaded without authentication
gcp Google Cloud Storage Bucket enumerated
gcp Google Cloud Storage Bucket modified
gcp Google Cloud Storage Bucket permissions modified
gcp Google Cloud unauthorized service account activity
gcp Google Cloud unauthorized user activity
gcp Google Compute Engine firewall egress rule opened to the world
gcp Google Compute Engine firewall rule modified
gcp Google Compute Engine image created
gcp Google Compute Engine instance metadata SSH key added or modified
gcp Google Compute Engine instances created in multiple zones by user
gcp Google Compute Engine network created
gcp Google Compute Engine network route created or modified
gcp Google Compute Engine project metadata SSH key added or modified
gcp Google Compute Engine service account used outside of Google Cloud
gcp Potential Google Cloud cryptomining attack from Tor IP
gcp Tor client IP address identified within Google Cloud environment
google_cloud_asset_inventory
Google Cloud Asset Inventory
>
google_sql_database_instance
Google SQL Database Instance
>
google_sql_database_instance '3625 (trace flag)' database flag is set to 'off' for SQL Server Instance
google_sql_database_instance 'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance
google_sql_database_instance 'contained database authentication' database flag is set to 'off' for SQL Server Instance
google_sql_database_instance 'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance
google_sql_database_instance 'external scripts enabled' database flag is set to 'off' for SQL Server Instance
google_sql_database_instance 'local_infile' database flag is set to 'off' for MySQL Instance
google_sql_database_instance 'log_connections' database flag is set to 'on' for PostgreSQL Instance
google_sql_database_instance 'log_disconnections' database flag is set to 'on' for PostgreSQL Instance
google_sql_database_instance 'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance
google_sql_database_instance 'log_hostname' database flag is set to 'on' for PostgreSQL Instance
google_sql_database_instance 'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance
google_sql_database_instance 'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance
google_sql_database_instance 'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance
google_sql_database_instance 'log_statement' database flag is set appropriately for PostgreSQL Instance
google_sql_database_instance 'remote access' database flag is set to 'off' for SQL Server Instance
google_sql_database_instance 'skip_show_database' flag is set to 'on' for MySQL Instance
google_sql_database_instance 'user connections' database flag is set to a non-limiting value for SQL Server Instance
google_sql_database_instance Automated backups are configured for SQL Database Instances
google_sql_database_instance SQL database instance uses SSL for all incoming connections
google_sql_database_instance SQL Database Instances only allow ingress traffic from specific IP addresses
google_sql_database_instance SQL Server Instance 'user options' database flag is disabled
google.workspace.alert.center
Google.Workspace.Alert.Center
>
kubernetes
Kubernetes
>
kubernetes --anonymous-auth argument is set to false
kubernetes --event-qps argument is set to 0 or a level which ensures appropriate event capture
kubernetes --hostname-override argument is disabled
kubernetes --terminated-pod-gc-threshold argument is set as appropriate
kubernetes A Kubernetes user attempted to perform a high number of actions that were denied
kubernetes A Kubernetes user was assigned cluster administrator permissions
kubernetes A minimal audit policy exists
kubernetes A new Kubernetes admission controller was created
kubernetes A unique Certificate Authority is used for etcd
kubernetes Admission control plugin AlwaysPullImages is set
kubernetes Admission control plugin EventRateLimit is set
kubernetes Admission control plugin SecurityContextDeny is set if PodSecurityPolicy is disabled
kubernetes Admission controller AlwaysAdmin is disabled
kubernetes Admission controller NamespaceLifecycle is enabled
kubernetes Admission controller NodeRestriction is enabled
kubernetes Admission controller PodSecurityPolicy is enabled
kubernetes Admission controller ServiceAccount is enabled
kubernetes All namespaces have network policies defined
kubernetes Allow Kubelets to manage changes to the iptables
kubernetes Anonymous Request Authorized
kubernetes API server anonymous-auth argument is set to false
kubernetes API server audit log files are retained for at least 10 log file rotations
kubernetes API server audit log files are rotated once the file reaches 100 MB or more
kubernetes API server audit logs are enabled
kubernetes API server audit logs are retained for at least 30 days
kubernetes API server only allows explicitly authorized requests
kubernetes API server only binds the API service to secure, known ports
kubernetes API server only binds to secure API service addresses
kubernetes API Server only makes use of Strong Cryptographic Ciphers
kubernetes API server pod specification file can only be altered by owners
kubernetes API server profiling is disabled
kubernetes API server request timeout exceeds 60 seconds only if required
kubernetes API Server requires HTTPS connections
kubernetes API server secure port is enabled
kubernetes API server uses a service account public key file for service accounts
kubernetes API server uses secure authentication methods
kubernetes API server uses TLS certificate client authentication
kubernetes API server validates the service account token exists in etcd
kubernetes API server verifies the kubelet's certificate before establishing connection
kubernetes Apply security context to your pods and containers
kubernetes Audit policy covers key security concerns
kubernetes Basic authentication is disabled for the API server
kubernetes Certificate authorities file can only be altered by owners
kubernetes Certificate-based kubelet authentication is required
kubernetes Client authentication is enabled for etcd
kubernetes Client certificate authorities file is owned by root
kubernetes Cluster-admin role is only used where required
kubernetes CNI in use supports network policies
kubernetes Configure image provenance using ImagePolicyWebhook admission controller
kubernetes Consider external secret storage
kubernetes Container Network Interface file ownership is set to root:root
kubernetes Container Network Interface file permissions are set to 644 or more restrictive
kubernetes Containers are configured to block privilege escalation
kubernetes Controller Manager API service is bound to localhost
kubernetes Controller manager has a service account private key file set
kubernetes Controller manager pod specification file can only be altered by owners
kubernetes Controller manager pod specification file is owned by root
kubernetes Controller Manager profiling is disabled
kubernetes controller-manager.conf file can only be altered by owners
kubernetes Create administrative boundaries between resources using namespaces
kubernetes Default Kubelet kernel parameter values are protected
kubernetes Each controller uses individual service account credentials
kubernetes Enable kubelet server certificate rotation on controller-manager
kubernetes Encryption providers are appropriately configured
kubernetes Etcd data directory is owned by the etcd user and group
kubernetes Etcd data directory permissions can only be altered by owners
kubernetes etcd is configured for peer authentication
kubernetes etcd is configured with TLS encryption
kubernetes etcd is encrypted at rest
kubernetes etcd only allows the use of valid client certificates
kubernetes Etcd pod specification file can only be altered by owners
kubernetes Etcd pod specification file is owned by root
kubernetes etcd server requires API servers present a client certificate and key when connecting
kubernetes etcd server requires API servers present an SSL CA file when connecting
kubernetes etcd uses TLS encryption for peer connections
kubernetes Kube-proxy configuration file can only be altered by owners
kubernetes Kube-proxy configuration file ownership is assigned to root
kubernetes Kubelet client certificate rotation is enabled
kubernetes Kubelet configuration file is owned by root
kubernetes Kubelet connections use HTTPS
kubernetes Kubelet nodes are only authorized to read objects they are associated with
kubernetes Kubelet only allows explicitly authorized requests
kubernetes Kubelet only makes use of Strong Cryptographic Ciphers
kubernetes Kubelet read-only port is disabled
kubernetes Kubelet requires HTTPS connections
kubernetes Kubelet server certificate rotation is enabled
kubernetes Kubelet service can only be altered by owners
kubernetes Kubelet service file is owned by root
kubernetes Kubelet uses TLS certificate client authentication
kubernetes Kubernetes PKI certificate file can only be altered by owners
kubernetes Kubernetes PKI directory is owned by root
kubernetes Kubernetes PKI key file permissions are set to 600
kubernetes Kubernetes Pod Created in Kube Namespace
kubernetes Kubernetes Pod Created with hostNetwork
kubernetes Kubernetes principal attempted to enumerate their permissions
kubernetes Kubernetes Service Account Created in Kube Namespace
kubernetes Kubernetes Service Created with NodePort
kubernetes Limit admission of containers sharing the host IPC namespace
kubernetes Limit admission of containers sharing the host PID namespace
kubernetes Minimize access to create pods
kubernetes Minimize access to secrets
kubernetes Minimize the admission of containers wishing to share the host network namespace
kubernetes Minimize the admission of containers with added capabilities.
kubernetes Minimize the admission of containers with capabilities assigned
kubernetes Minimize the admission of containers with the NET_RAW capability
kubernetes Minimize the admission of privileged containers
kubernetes Minimize the admission of root containers
kubernetes Minimize wildcard use in Roles and ClusterRoles
kubernetes New Kubernetes Namespace Created
kubernetes New Kubernetes privileged pod created
kubernetes Only non-default service accounts are in use
kubernetes Only the root account and group have ownership of the admin.conf file
kubernetes Only the root account and group have ownership of the API server pod specification file
kubernetes Only the root account has write permissions to the admin.conf file
kubernetes Pods utilize `root-ca-file` to pass serving certificates to the API server
kubernetes Prefer using secrets as files over secrets as environment variables
kubernetes Prevent use of self-signed certificates for TLS connections between etcd peers
kubernetes RBAC is enabled for the API server
kubernetes Resources are created in a non-default namespace
kubernetes Scheduler API service is bound to localhost
kubernetes Scheduler configuration file can only be altered by owners
kubernetes Scheduler configuration file ownership is assigned to root
kubernetes Scheduler pod specification file can only be altered by owners
kubernetes Scheduler pod specification file ownership is assigned to root
kubernetes Scheduler profiling is disabled
kubernetes seccomp profile is set to docker/default in your pod definitions
kubernetes Service account tokens are only mounted where necessary
kubernetes The controller-manager.conf file is owned by root
kubernetes The kubelet configuration file can only be altered by owners
kubernetes The kubelet.conf file can only be altered by owners
kubernetes The kubelet.conf file is owned by root
kubernetes Timeouts on streaming connections are enabled
kubernetes User Attached to a Pod
kubernetes User authentication is implemented using secure methods other than client certificate authentication
kubernetes User Exec into a Pod