logo logo
Comprehensive Guide to Hardening Workloads with AccuKnox
Initializing search
    GitHub
    • Open Support Ticket
    • Home
    • Overview
    • Getting Started
    • Integrations
    • Use-Cases
    • Support Matrix
    • Resources
    • FAQs
    GitHub
    • Home
    • Overview
      • AccuKnox Enterprise Architecture
      • AccuKnox Agents
      • Deployment Models
      • DevSecOps
    • Getting Started
        • Overview
        • ASPM Playbook
        • CSPM Playbook
        • CWPP Playbook
        • KSPM Playbook
        • Host Security Playbook
        • Integrations Playbook
          • AWS
          • Azure
          • GCP
          • AWS
          • Azure
          • GCP
          • Offboard Clound Account
          • Runtime Security Prerequisites
          • Runtime Security Onboarding
          • Cluster Onboarding with Access Keys
          • Cluster Miconfiguration Scan Onboarding
          • CIS Benchmarking
          • Cluster Offboarding
          • VM Onboard/Deboard with Docker
          • VM Onboard/Deboard with SystemD
          • SystemD Based Non-BTF Environments
          • VM Onboarding with Access Keys
        • Generate CWPP Reports
          • WordPress-MySQL
          • DVWA
          • PHP-MySQL
        • Overview
        • Github IaC Scan
        • AWS CDK IaC Scan
        • ACR
        • ECR
        • GAR
        • Harbor
        • Dockerhub Registry
        • Docker Trusted Registry
        • Sonatype Nexus
        • JFrog Container
        • Quay
        • In-Cluster Scanner
        • On-prem Installation
        • Security on OpenShift
          • RINC
        • Open source vs Enterprise
        • Open Source Installation
      • Signup/Login via SSO
      • Create Tokens
      • Create Labels
      • Create Access Keys
        • Configure Custom Report
        • Summarized Custom Report
    • Integrations
        • Overview
          • Overview
          • SAST
          • Container Image Scan
          • Iac Scan
          • DAST
          • Secret Scan
          • OpenGrep SAST
          • Overview
          • SAST
          • Container Image Scan
          • IaC Scan
          • DAST
          • Overview
          • SAST
          • Container Image Scan
          • IaC Scan
          • DAST
          • Overview
          • SAST
          • Container Scan
          • IaC Scan
          • DAST
          • Secret Scan
            • SAST
            • DAST
          • Overview
          • SAST
          • Container Scan
          • IaC Scan
          • DAST
          • Overview
          • Onboard Private Repos
          • SAST
          • SAST (Semgrep)
          • SAST (Opengrep)
          • Container Scan
          • IaC Scan
          • DAST
          • Secret Scanning with Github Actions
          • Overview
          • SAST
          • SAST (Opengrep)
          • Container Scan
          • IaC Scan (AccuKnox)
          • IaC Scan (GitLab Pipeline)
          • DAST
          • Secret Scan
            • Container Scan Variables
            • IaC Scan Variables
            • DAST Scan Variables
            • SAST Scan variables
          • Overview
          • SAST
          • Container Scan
          • IaC Scan
          • DAST
          • Secret Scan
          • OpenGrep SAST
            • Container Scan Variables
            • IaC Scan Variables
            • DAST Scan Variables
            • SAST Scan variables
          • Overview
          • SAST
          • SCA
          • Iac Scan (KICS)
          • Container Scan
      • Registry Scan
        • Rafay
          • KubeArmor
          • AccuKnox Agents
          • AccuKnox
          • KubeArmor
        • Spectro Cloud
        • Ticket Templates
        • Jira Cloud
        • Jira Server
        • Freshservice
        • Connectwise
        • ServiceNow
          • Logs
          • Alerts
        • Splunk
        • AccuKnox SplunkApp
        • KubeArmor Splunk Integration
        • Azure Sentinel
        • Azure Sentinel Feeder Integration
        • Rsyslog
        • Rsyslog Feeder Integration
        • AWS Cloudwatch
        • Azure Entra
        • Slack
        • Email
      • OAuth
      • Email Backend
    • Use-Cases
      • CNAPP Dashboard Widgets
        • EPSS Scoring
        • Rules Engine
        • Vulnerability Management
        • GitHub
        • Azure DevOps
        • Bitbucket
        • Jenkins
        • Gitlab
        • Jupyter Notebook
          • Overview
          • Pickle Code Injection PoC
          • Adversarial Attacks on Deep Learning Models
          • Deploy PyTorch App with ModelKnox
        • Overview
        • Asset Inventory
          • Overview
          • Network Security
          • Compute Security
          • Database Security
          • Overview
          • IAM Security
          • Network Security
          • Compute Security
          • Storage Security
          • Overview
          • IAM Security
          • Network Security
          • Compute Security
          • Multi-cloud Compliance
          • Cloud Misconfiguration and Drift Detection
        • CWPP Overview
          • Zero Trust Security
          • Audit/Forensics
          • Runtime Application Behavior Discovery
          • HashiCorp Vault Hardening
          • CyberArk Conjur Hardening
          • Cryptojacking
          • Hildegard
        • Container Image Scan
        • Application Security Posture Management (ASPM)
        • IaC Scan
        • Container Scan
        • SAST
        • DAST (MFA-Enabled)
        • DAST XSS Mitigation
        • Secrets Scan
        • Overview
        • Admission Controller
        • Kubernetes Identity and Entitlement Management (KIEM)
        • Pod Security Admission Control
        • CIS K8s Benchmark Findings
        • Workload Hardening
        • Runtime Application Hardening
        • Network Micro-segmentation
        • Cluster Misconfiguration Scan
        • Mitigate Supply Chain Attacks with KnoxGuard
        • Introduction
            • Overview
            • AWS Misconfigurations
            • GCP Misconfigurations
            • Azure Misconfigurations
          • Host Security Scan
          • Malware Scan
          • Compliance Benchmarking & Risk Assessment
          • Audit & Log Management
            • Blocking Execution of Package Managers
            • File Integrity Monitoring
          • Preventing Cryptominers Attack
          • Defending against Log4Shell
          • OnDemand and Scheduled
          • Host Scan Report
      • Access Keys
      • IoT/Edge Security
      • 5G Security
    • Support Matrix
      • CI/CD Support Matrix
      • CSPM Assets Support
      • Compliance Matrix
      • VMs
      • Private Cloud
      • Public Cloud
      • Registry Scan
      • IaC
      • KubeArmor Support Matrix
    • Resources
      • CWPP Troubleshooting
      • CSPM Troubleshooting
      • User Manual
        • RedHat Marketplace Installation Guide
          • KubeArmor Installation Guide
          • AWS Installation Guide
          • KubeArmor EKS add-on
        • Oracle Marketplace Installation Guide
        • Azure Marketplace Installation Guide
      • Customer Data Backup Guide
      • Upgrading AccuKnox Agents
        • CSPM Cloud Assets
        • CWPP Container Images
        • CWPP Worker Nodes
      • Ticketing Procedures
      • Technical Guide
          • v2.4 Release Notes
          • v2.1-v2.2 Release Notes
          • v2.0 Release Notes
          • v1.7 Release Notes
          • v1.6 Release Notes
          • v1.5 Release Notes
        • KubeArmor
      • Glossary
    • FAQs

    Workload Hardening

    Service Account token

    Service Account token

    Protect access to k8s service account token

    FIM

    FIM

    File Integrity Monitoring

    Packaging tools

    Packaging tools

    Deny execution of package management tools

    Trusted certs bundle

    Trusted certs bundle

    Protect write access to the trusted root certificates bundle

    Database access

    Database access

    Protect read/write access to raw database tables from unknown processes.

    Config data

    Config data

    Protect access to configuration data containing plain text credentials.

    File Copy

    File Copy

    Prevent file copy using standard utilities.

    Network Access

    Network Access

    Prevent network access to any processes or selectively enable network access to specific processes.

    /tmp/ noexec

    /tmp/ noexec

    Do not allow execution of binaries from /tmp/ folder.

    Admin tools

    Admin tools

    Do not allow execution of administrative/maintenance tools inside the pods.

    Discovery tools

    Discovery tools

    Do not allow discovery/search of tools/configuration.

    Logs delete

    Logs delete

    Do not allow external tooling to delete logs/traces of critical components.

    ICMP control

    ICMP control

    Do not allow scanning tools to use ICMP for scanning the network.

    Restrict Capabilities

    Restrict Capabilities

    Do not allow capabilities that can be leveraged by the attacker.

    Was this page helpful?
    Thanks for your feedback!
    Thanks for your feedback! Help us improve this page by using our feedback form.
    Previous
    CIS K8s Benchmark Findings
    Next
    Runtime Application Hardening
    © 2024 AccuKnox. All Rights Reserved.
    Made with Material for MkDocs