From f4a24595b124cb21fcdcbf95ac9ddbdff3901caa Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Wed, 29 Apr 2026 11:09:34 -0700 Subject: [PATCH] C0: review CC ephemeral-privileged-jobs Verified TTL=604800s and hostPID limited to ephemeral Prowler CronJob on indri. Noted that alloy-tracing on ringtail also uses hostPID but is out of scope until Prowler scans ringtail (tracked in Todoist). Co-Authored-By: Claude Opus 4.7 (1M context) --- compensating-controls.yaml | 9 +++++++-- .../+review-cc-ephemeral-privileged-jobs.misc.md | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md diff --git a/compensating-controls.yaml b/compensating-controls.yaml index d9d7c6c..fb5450d 100644 --- a/compensating-controls.yaml +++ b/compensating-controls.yaml @@ -94,10 +94,15 @@ controls: auto-deletion, not as a persistent privileged workload. hostPID exposure is time-bounded to scan duration (~20s). created: 2026-03-30 - last-reviewed: 2026-03-30 + last-reviewed: 2026-04-29 notes: >- Verify TTL is set in cronjob.yaml. Check that no persistent - pods run with hostPID. + pods run with hostPID on the scanned cluster (indri). The + alloy-tracing DaemonSet on ringtail also uses hostPID but is + out of scope — Prowler only scans indri. Tracked in Todoist: + "prowler scan against ringtail" — once that lands, the + DaemonSet's hostPID+privileged posture will surface as a CIS + finding and need its own CC or remediation. - id: trusted-ci-only description: >- diff --git a/docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md b/docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md new file mode 100644 index 0000000..14dcdca --- /dev/null +++ b/docs/changelog.d/+review-cc-ephemeral-privileged-jobs.misc.md @@ -0,0 +1 @@ +Reviewed compensating control `ephemeral-privileged-jobs`: TTL and hostPID scope verified on indri. Noted that the alloy-tracing DaemonSet on ringtail is out of scope until Prowler scans ringtail (tracked in Todoist).