This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathAnthosConfigManagement.yaml
118 lines (118 loc) · 5.42 KB
/
AnthosConfigManagement.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
version: 1
ATT&CK version: 10
creation date: 04/27/2022
last update: 05/13/2022
name: AnthosConfigManagement
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Configuration Management
- Containers
- Policy
description: >
Anthos Config Management enables platform operators to automatically deploy shared environment
configurations and enforce approved security policies across Kubernetes clusters on-premises, on
GKE, and in other public cloud platforms. It also lets platform admins configure Google Cloud
services using the same resource model.
techniques:
- id: T1552.007
name: Container API
technique-scores:
- category: Protect
value: Partial
comments: >-
Adversaries may gather credentials via APIs within a containers environment. APIs in these
environments, such as the Docker API and Kubernetes APIs. Anthos Config Management can
manage configuration for any Kubernetes API, including policies for the Istio service
mesh, resource quotas, and access control policies.
- id: T1525
name: Implant Internal Image
technique-scores:
- category: Protect
value: Partial
comments: >-
Prevent configuration drift with continuous monitoring of your cluster state, using the
declarative model to apply policies that enforce compliance. This control can periodically
check the integrity of images and containers used in cloud deployments to ensure that
adversaries cannot implant malicious code to gain access to an environment.
- category: Detect
value: Partial
- id: T1609
name: Container Administration Command
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management lets you create and manage Kubernetes objects across multiple
clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root
Linux user and prevents pods from running privileged containers. In hindsight this can
ensure containers are not running as root by default.
- id: T1610
name: Deploy Container
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management's Policy Controller enables you to enforce fully programmable
policies on your clusters. You can use these policies to shift security left and guard
against violations during development and test time, as well as runtime violations. This
control can be used to block adversaries that try to deploy new containers with malware or
configurations policies that are not in compliance with security policies already
defined.
- id: T1613
name: Container and Resource Discovery
technique-scores:
- category: Protect
value: Significant
comments: >-
Adversaries may attempt to discover containers and other resources that are available
within a containers environment. The "Network Policies" rule controls the network traffic
inside clusters, denying direct remote access to internal systems through the use of
network proxies, gateways, and firewalls
- id: T1611
name: Escape to Host
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management lets you create and manage Kubernetes objects across multiple
clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root
Linux user and prevents pods from running privileged containers. This control can be used
to limit container access to host process namespaces, the host network, and the host file
system, which may enable adversaries to break out of containers and gain access to the
underlying host.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management lets you create and manage Kubernetes objects across multiple
clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root
Linux user. Based on the medium detection coverage, this was scored as partial.
- id: T1078.001
name: Default Accounts
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management lets you create and manage Kubernetes objects across multiple
clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root
Linux user. Based on the medium detection coverage, this sub-technique was scored as
partial.
- id: T1078.004
name: Cloud Accounts
technique-scores:
- category: Protect
value: Partial
comments: >-
Anthos Config Management lets you create and manage Kubernetes objects across multiple
clusters at once. PodSecurityPolicies can be enforced to prevent Pods from using the root
Linux user. Based on the medium detection coverage, this sub-technique was scored as
partial.
comments: >-
Based on the medium detection coverage for the correlated cyber-attacks, most of the techniques
and sub-techniques in this security solution were rated as partial.
references:
- 'https://cloud.google.com/anthos-config-management/ '