C0: review CC ephemeral-privileged-jobs

Verified TTL=604800s and hostPID limited to ephemeral Prowler CronJob on indri. Noted that alloy-tracing on ringtail also uses hostPID but is out of scope until Prowler scans ringtail (tracked in Todoist). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 11:09:34 -07:00 · 2026-04-29 11:09:34 -07:00 · f4a24595b1
commit f4a24595b1
parent 817acc5e5e
2 changed files with 8 additions and 2 deletions
--- a/compensating-controls.yaml
+++ b/compensating-controls.yaml
@ -94,10 +94,15 @@ controls:
      auto-deletion, not as a persistent privileged workload. hostPID
      exposure is time-bounded to scan duration (~20s).
    created: 2026-03-30
-    last-reviewed: 2026-03-30
+    last-reviewed: 2026-04-29
    notes: >-
      Verify TTL is set in cronjob.yaml. Check that no persistent
-      pods run with hostPID.
+      pods run with hostPID on the scanned cluster (indri). The
+      alloy-tracing DaemonSet on ringtail also uses hostPID but is
+      out of scope — Prowler only scans indri. Tracked in Todoist:
+      "prowler scan against ringtail" — once that lands, the
+      DaemonSet's hostPID+privileged posture will surface as a CIS
+      finding and need its own CC or remediation.

  - id: trusted-ci-only
    description: >-
--- a/docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md
+++ b/docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md
@ -0,0 +1 @@
+Reviewed compensating control `ephemeral-privileged-jobs`: TTL and hostPID scope verified on indri. Noted that the alloy-tracing DaemonSet on ringtail is out of scope until Prowler scans ringtail (tracked in Todoist).
				`@ -0,0 +1 @@`
				Reviewed compensating control `ephemeral-privileged-jobs`: TTL and hostPID scope verified on indri. Noted that the alloy-tracing DaemonSet on ringtail is out of scope until Prowler scans ringtail (tracked in Todoist).