daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added security and compliance templates

patch-4
Prince Chaddha 2024-06-16 10:24:40 +04:00
parent 95a57927e2
commit 1fb4542c78
16 changed files with 517 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml Normal file
View File

@ -0,0 +1,53 @@
id: k8s-seccomp-profile-set
info:
name: Set appropriate seccomp profile
author: princechaddha
severity: medium
description: Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.
impact: |
Using a default seccomp profile helps in reducing the attack surface of the container by limiting the syscalls containers can make, which can prevent certain types of exploits.
remediation: |
Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts.
reference:
- https://kubernetes.io/docs/tutorials/clusters/seccomp/
tags: cloud,devops,kubernetes,security,devsecops,containers
flow: |
code(1);
for (let deployment of template.items) {
set("deployment", deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
javascript:
- code: |
deployment = JSON.parse(template.deployment);
deployment.spec.template.spec.containers.forEach(container => {
if (container.securityContext && container.securityContext.seccompProfile &&
(container.securityContext.seccompProfile.type === 'RuntimeDefault' || container.securityContext.seccompProfile.type === 'DockerDefault')) {
// No action needed, configured properly
} else {
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have an appropriate seccomp profile set.`);
Export(result);
}
});
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a004730450221008b59741a5c3cbb00fea807cbfad091c4bbd5b4cfb68d0eaba6cbad0f5b41b031022021a3ff36185afd480db929ad18207f2b03a2a823ec1d1858de0facf7fd7b2bbf:366f2a24c8eb519f6968bd8801c08ebe

48
cloud/kubernetes/network-policies/k8s-def-egress-rules.yaml
View File

@ -1,48 +0,0 @@
id: k8s-def-egress-rules
info:
name: Ensure egress rules are defined
author: princechaddha
severity: medium
description: Checks for network policies that define specific egress rules, ensuring controlled outbound traffic.
impact: |
Lack of egress rules in network policies may allow unrestricted outbound network traffic. This can lead to potential security risks, including data exfiltration.
remediation: |
Define egress rules in the network policy to manage and restrict outbound traffic effectively. Specify allowed destinations and ports to limit network traffic.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,devsecops,network
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get networkpolicies --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {name: .metadata.name, namespace: .metadata.namespace, egress: .spec.egress}'
javascript:
- code: |
let policyData = template.policy;
if (!policyData.egress || policyData.egress.length === 0) {
let result = `Network policy '${policyData.name}' in namespace '${policyData.namespace}' does not define any egress rules.`;
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 490a0046304402203da66eea889668b34e537e161930c32db95c287c91bf4b25ea42fab9207aa20b022066509c25e5056f4f842cc9720a481689aaf3c3208c6f91ce5dd051819e0325a6:366f2a24c8eb519f6968bd8801c08ebe

47
cloud/kubernetes/network-policies/k8s-netpol-egress-rules.yaml Normal file
View File

@ -0,0 +1,47 @@
id: netpol-egress-rules
info:
name: Network policies define egress rules
author: princechaddha
severity: medium
description: Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats.
impact: |
Lack of egress rules in network policies can result in unrestricted outbound network traffic, which may allow data exfiltration or unauthorized access to external services.
remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,devsecops,network
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get networkpolicies --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {policy: .metadata.name, egress: .spec.egress}'
javascript:
- code: |
let policyData = JSON.parse(template.policy);
if (!policyData.egress || policyData.egress.length === 0) {
let result = (`Network policy '${policyData.policy}' does not define egress rules.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100adb84e8a912b21d2e2bfd1f9253aec9cc33b6feb9fe7ee538ee0057e61ef8bb9022100d26ff6d9a2ac5f662df09dbb322793b0f9402594c96c361189367f58586344bc:366f2a24c8eb519f6968bd8801c08ebe

48
cloud/kubernetes/network-policies/k8s-netpol-namespace.yaml Normal file
View File

@ -0,0 +1,48 @@
id: k8s-netpol-namespace
info:
name: Network Policies specify namespace
author: princechaddha
severity: medium
description: Checks for Kubernetes Network Policies that do not specify a namespace, which can lead to potential misconfigurations and security issues.
impact: |
Omitting the namespace in Network Policies can cause the policies to apply incorrectly, potentially exposing Kubernetes resources to unauthorized access. This poses a security risk by not isolating network traffic properly within the cluster.
remediation: |
Ensure that all Network Policies explicitly define a namespace to maintain proper network isolation and security boundaries.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,devsecops,networking
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get netpol --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {policy: .metadata.name, namespace: .metadata.namespace}'
javascript:
- code: |
let policyData = JSON.parse(template.policy);
if (!policyData.namespace) {
let result = (`Network Policy '${policyData.policy}' does not specify a namespace.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 490a00463044022005edb8b78c4db40572f8297946636ce446d578c62f1ec7bf7f1621ed021f27c9022078555811953b55f080c0dc21ec6138fbd712b5069ca571e2492c5e7cc3172759:366f2a24c8eb519f6968bd8801c08ebe

27
cloud/kubernetes/network-policies/k8s-network-ingress-rules.yaml
View File

@ -1,21 +1,22 @@
id: k8s-network-ingress-rules
id: k8s-ingress-rules
info:
name: Network policies define ingress
name: Define network ingress rules
author: princechaddha
severity: medium
description: Ensures network policies define ingress rules to control traffic flow within the cluster, enhancing security.
description: Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster.
impact: |
Without defined ingress rules, network policies might allow unrestricted inbound traffic, potentially exposing the cluster to security threats. Properly defined ingress rules help mitigate this risk by restricting traffic flow.
remediation: Define ingress rules in network policies to restrict and control inbound traffic within the Kubernetes cluster.
Without specific ingress rules defined in network policies, unintended traffic may access pods within the Kubernetes cluster, increasing the risk of malicious activity.
remediation: |
Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,devsecops,networking
tags: cloud,devops,kubernetes,security,networking
flow: |
code(1);
for (let networkPolicy of template.items) {
set("networkPolicy", networkPolicy)
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
@ -30,13 +31,13 @@ code:
name: items
internal: true
json:
- '.items[]'
- '.items[] | {policy: .metadata.name, ingress: .spec.ingress}'
javascript:
- code: |
let networkPolicy = JSON.parse(template.networkPolicy);
if (!networkPolicy.spec.ingress || networkPolicy.spec.ingress.length === 0) {
let result = (`Network policy '${networkPolicy.metadata.name}' in namespace '${networkPolicy.metadata.namespace}' does not define any ingress rules.`);
let policyData = JSON.parse(template.policy);
if (!policyData.ingress || policyData.ingress.length === 0) {
let result = `Network policy '${policyData.policy}' does not define any ingress rules.`;
Export(result);
}
@ -44,4 +45,4 @@ javascript:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100c53e3615f3c1dd115d8efd4e9415177289e366c07ee24d4694d19c882c77044102203ce3bd2c002e4ab82073e7c770d39298407a1c40246b5c657104d01b4f642f6a:366f2a24c8eb519f6968bd8801c08ebe
# digest: 4a0a004730450220506a30ff32ae7bcddc875449aabe33208c4437745e3f0ba016b3087a8d780fe2022100c1be39affffaa403e6022ded544a51e09ff5b41c4812601ee90848f89039ae3f:366f2a24c8eb519f6968bd8801c08ebe

55
cloud/kubernetes/network-policies/k8s-ns-policy-set.yaml
View File

@ -1,55 +0,0 @@
id: k8s-ns-policy-set
info:
name: Network policies specify namespace
author: princechaddha
severity: medium
description: Checks for Kubernetes network policies that do not specify a namespace, potentially leading to misconfigurations and security risks.
impact: |
Failure to specify a namespace in network policies can cause the policies to not be enforced as expected, leading to potential security vulnerabilities where unauthorized traffic could be allowed.
remediation: |
Ensure that all network policies explicitly define the namespace they apply to. This helps in enforcing security boundaries and preventing cross-namespace traffic unless explicitly allowed.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,devsecops,networking
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get networkpolicies --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {policy: .metadata.name, namespace: .metadata.namespace}'
javascript:
- code: |
if (template.items.length === 0) {
log(template.items.length)
Export('No network policies found. Ensure that network policies are defined and namespaces are specified.');
} else {
template.items.forEach(policy => {
let policyData = JSON.parse(policy);
if (!policyData.namespace) {
let result = (`Network Policy '${policyData.policy}' does not specify a namespace.`);
Export(result);
}
});
}
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a0047304502204f78530d043f4ee9c2844ef6ea271cdee74ef99154f17f43f120ff4cad1ff417022100dc262780f80d0e64648e5fa555c35032837ae0ecd21c274df318d593c2a1a626:366f2a24c8eb519f6968bd8801c08ebe

4
cloud/kubernetes/pods/k8s-allow-privilege-escalation-set.yaml
View File

@ -34,7 +34,7 @@ code:
javascript:
- code: |
let podData = JSON.parse(template.container); // container is now a JSON object with 'pod' and 'containers'
let podData = JSON.parse(template.container);
podData.containers.forEach(container => {
if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) {
let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`);
@ -47,4 +47,4 @@ javascript:
- type: dsl
dsl:
- response
# digest: 490a00463044022022d7414cae87fa28332a6a123d954251d677ec6d3900d9695773585fa2659b1c02200c516a4fac6f46fc00bea745add53ff77b6f95557fceb66c8227ba2d1771ea45:366f2a24c8eb519f6968bd8801c08ebe
# digest: 490a0046304402202e23ef1e6b258a44e394494f51808bb7b81a856101efe5a929429a6fcde414d4022058eacd480cb3e4b61fe6a86674f1f218b53144a3e8fed02c20554c0a34ae00d1:366f2a24c8eb519f6968bd8801c08ebe

40
cloud/kubernetes/security-compliance/k8s-audit-log-path-set.yaml Normal file
View File

@ -0,0 +1,40 @@
id: audit-log-path-set
info:
name: Ensure audit-log-path set
author: princechaddha
severity: medium
description: Checks if the audit-log-path argument is properly set in the Kubernetes API server configuration, which is essential for maintaining a reliable audit trail.
impact: |
Without the audit-log-path argument, Kubernetes does not record API server audit logs, reducing the visibility into operations and making it harder to detect and respond to malicious activities.
remediation: |
Configure the Kubernetes API server to include the audit-log-path argument pointing to a secure, writeable directory where audit logs will be stored. Ensure that this directory is properly secured and regularly monitored.
reference:
- https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
tags: cloud,devops,kubernetes,security,devsecops,api-server
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "audit-log-path"
negative: true
extractors:
- type: dsl
dsl:
- "API server configuration is missing the audit-log-path argument."
# digest: 4c0a006730b50222003e5c33fedeeb5d9b8b9af1d43e89b7b8b97c51aa77c345d7f976f9350e22e746022

38
cloud/kubernetes/security-compliance/k8s-enc-prov-conf.yaml Normal file
View File

@ -0,0 +1,38 @@
id: k8s-enc-prov-conf
info:
name: Ensure that encryption providers are configured
author: princechaddha
severity: medium
description: Checks if encryption providers are appropriately configured in Kubernetes, ensuring that data at rest is secured.
impact: |
Misconfigured encryption providers can lead to unsecured data at rest, potentially exposing sensitive information to unauthorized access.
remediation: |
Ensure that the encryption provider configuration file is set up correctly and referenced properly in the API server configuration. Encryption should be enabled and configured according to the security best practices.
reference:
- https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
tags: cloud,devops,kubernetes,security,devsecops,encryption
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "--encryption-provider-config"
negative: true
extractors:
- type: dsl
dsl:
- "Encryption provider configuration is not appropriately set."

39
cloud/kubernetes/security-compliance/k8s-etcd-cafile-set.yaml Normal file
View File

@ -0,0 +1,39 @@
id: k8s-etcd-cafile-set
info:
name: Ensure etcd-cafile argument set
author: princechaddha
severity: medium
description: Checks if the etcd-cafile argument is properly set in the etcd configuration, crucial for secure client connections to etcd.
impact: |
Without specifying the etcd-cafile argument, etcd might not establish secure and authenticated connections, leading to potential security breaches.
remediation: |
Configure etcd to use an etcd-cafile argument that points to a valid CA certificate bundle. This setting should be part of the etcd startup arguments or in its configuration file.
reference:
- https://etcd.io/docs/v3.5/op-guide/security/
tags: cloud,devops,kubernetes,security,devsecops,etcd
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=etcd -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'etcd'
- type: word
words:
- "etcd-cafile"
negative: true
extractors:
- type: dsl
dsl:
- "Etcd configuration is missing the etcd-cafile argument."
# digest: 490a004630440220707289eec6b2f08d1bc88620d1d58ff41c2f661a0956d079441ee324f9ae7591022003d8bd244a842d8ba73ac829f52bb4790ab780328b5f42299d826d12d5728039:366f2a24c8eb519f6968bd8801c08ebe

39
cloud/kubernetes/security-compliance/k8s-etcd-files-set.yaml Normal file
View File

@ -0,0 +1,39 @@
id: k8s-etcd-files-set
info:
name: Ensure etcd cert and key set
author: princechaddha
severity: medium
description: Checks if the etcd-certfile and etcd-keyfile arguments are properly set in the etcd server configuration, crucial for secure communication.
impact: |
If the etcd-certfile and etcd-keyfile arguments are not set, the etcd server might not encrypt its communications, potentially allowing unauthorized access to sensitive data.
remediation: |
Configure the etcd server to use etcd-certfile and etcd-keyfile arguments that point to valid certificate and key files respectively. This ensures that communications to and from the etcd server are properly encrypted.
reference:
- https://etcd.io/docs/v3.4.0/op-guide/security/
tags: cloud,devops,kubernetes,security,devsecops,etcd
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=etcd -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'etcd'
- type: word
words:
- "etcd-certfile"
- "etcd-keyfile"
negative: true
extractors:
- type: dsl
dsl:
- "etcd server configuration is missing the etcd-certfile or etcd-keyfile arguments."

40
cloud/kubernetes/security-compliance/k8s-ns-usage-check.yaml Normal file
View File

@ -0,0 +1,40 @@
id: k8s-ns-usage-check
info:
name: Ensure namespaces are utilized
author: princechaddha
severity: info
description: Checks if Kubernetes namespaces are actively used to separate resources, which is critical for resource organization and access control.
impact: |
Lack of namespaces usage can lead to disorganized resources and potentially flawed access controls, impacting security and management.
remediation: |
Implement and use namespaces to organize resources within the Kubernetes cluster effectively. Define access controls and resource quotas on a per-namespace basis.
reference:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
tags: cloud,devops,kubernetes,security,devsecops,namespaces
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get namespaces --output=json
matchers-condition: and
matchers:
- type: word
words:
- '"items":'
- type: word
words:
- '"Namespace"'
negative: true
extractors:
- type: dsl
dsl:
- "Kubernetes cluster is not utilizing namespaces."
# digest: 4b0a00483046022100a4752be32718d5e3bf67d19c2

38
cloud/kubernetes/security-compliance/k8s-svc-acct-issuer-set.yaml Normal file
View File

@ -0,0 +1,38 @@
id: k8s-svc-acct-issuer-set
info:
name: Checks if service-account-issuer is correctly configured
author: princechaddha
severity: medium
description: Checks if the service-account-issuer argument is correctly configured in the API server, critical for issuing valid service tokens.
impact: |
If the service-account-issuer argument is not set, the API server may issue tokens that are not accepted by other services, leading to authentication failures.
remediation: |
Set the service-account-issuer argument to a valid issuer URL in the API server's startup arguments or configuration file. This ensures the tokens issued are trusted across services.
reference:
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
tags: cloud,devops,kubernetes,security,devsecops,api-server
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "service-account-issuer"
negative: true
extractors:
- type: dsl
dsl:
- "API server configuration lacks the service-account-issuer argument."

40
cloud/kubernetes/security-compliance/k8s-svc-acct-key.yaml Normal file
View File

@ -0,0 +1,40 @@
id: k8s-svc-acct-key
info:
name: Ensure service-account-key-file set
author: princechaddha
severity: medium
description: Checks if the service-account-key-file argument is properly set in the API server configuration, which is critical for validating service account tokens.
impact: |
The absence of the service-account-key-file argument means that the API server might not perform robust authentication checks for service accounts, potentially allowing unauthorized access.
remediation: |
Configure the API server to use a service-account-key-file that points to a valid private key used to sign service account tokens. This setting should be part of the API server startup arguments or in its configuration file.
reference:
- https://kubernetes.io/docs/admin/kube-apiserver/
tags: cloud,devops,kubernetes,security,devsecops,api-server
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "service-account-key-file"
negative: true
extractors:
- type: dsl
dsl:
- "API server configuration is missing the service-account-key-file argument."
# digest: 4a0a00473045022100e3dc33fefeeb5d3b9a9af3d43e89b7b7c97c50aa77b344d7e976f9340e22e7450220159e8da06b7ceb82c532bd1caeeeffba7c237c568a57988f1ada334a7c09fa83:366f2a24c8eb519f6968bd8801c08ebe

38
cloud/kubernetes/security-compliance/k8s-svc-acct-lookup-set.yaml Normal file
View File

@ -0,0 +1,38 @@
id: k8s-svc-acct-lookup-set
info:
name: Ensure service-account-lookup set
author: princechaddha
severity: medium
description: Checks if the service-account-lookup argument is set to true in the API server configuration, which is essential for verifying service accounts against the stored secrets.
impact: |
Without the service-account-lookup argument set to true, the API server may not verify service accounts against stored secrets, potentially allowing unauthorized access.
remediation: |
Set the service-account-lookup argument to true in the API server's startup arguments or configuration file to ensure proper verification of service accounts.
reference:
- https://kubernetes.io/docs/admin/kube-apiserver/
tags: cloud,devops,kubernetes,security,devsecops,api-server
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "service-account-lookup=true"
negative: true
extractors:
- type: dsl
dsl:
- "API server configuration is missing the 'service-account-lookup=true' argument."

41
cloud/kubernetes/security-compliance/k8s-tls-config-set.yaml Normal file
View File

@ -0,0 +1,41 @@
id: k8s-tls-config-set
info:
name: Ensure TLS config appropriately set
author: princechaddha
severity: medium
description: Checks if the tls-cert-file and tls-private-key-file arguments are properly set in the API server configuration, which is essential for secure communication.
impact: |
The absence of tls-cert-file and tls-private-key-file arguments means that the API server may not use TLS for secure communications, leading to potential security risks.
remediation: |
Configure the API server to use tls-cert-file and tls-private-key-file that point to a valid certificate and key file respectively. This setting should be part of the API server startup arguments or in its configuration file.
reference:
- https://kubernetes.io/docs/admin/kube-apiserver/
tags: cloud,devops,kubernetes,security,devsecops,api-server
self-contained: true
code:
- engine:
- sh
- bash
source: |
kubectl get pods -n kube-system -l component=kube-apiserver -o jsonpath="{.items[*].spec.containers[*].command}"
matchers-condition: and
matchers:
- type: word
words:
- 'kube-apiserver'
- type: word
words:
- "tls-cert-file"
- "tls-private-key-file"
negative: true
extractors:
- type: dsl
dsl:
- "API server configuration is missing the tls-cert-file or tls-private-key-file argument."
# digest: 4a0a00473045022100e3dc33fefeeb5d3b9a9af3d43e89b7b7c97c50aa77b344d7e976f9340e22e7450220159e8da06b7ceb82c532bd1caeeeffba7c237c568a57988f1ada334a7c09fa83:366f2a24c8eb519f6968bd8801c08ebe