mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-29 18:08:08 +00:00
63 lines
2.8 KiB
YAML
63 lines
2.8 KiB
YAML
|
---
|
||
|
controls:
|
||
|
version: rh-1.0
|
||
|
id: 3
|
||
|
text: "Control Plane Configuration"
|
||
|
type: "controlplane"
|
||
|
groups:
|
||
|
- id: 3.1
|
||
|
text: "Authentication and Authorization"
|
||
|
checks:
|
||
|
- id: 3.1.1
|
||
|
text: "Client certificate authentication should not be used for users (Manual)"
|
||
|
audit: |
|
||
|
# To verify user authentication is enabled
|
||
|
oc describe authentication
|
||
|
# To verify that an identity provider is configured
|
||
|
oc get identity
|
||
|
# To verify that a custom cluster-admin user exists
|
||
|
oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User
|
||
|
# To verity that kbueadmin is removed, no results should be returned
|
||
|
oc get secrets kubeadmin -n kube-system
|
||
|
type: manual
|
||
|
remediation: |
|
||
|
Configure an identity provider for the OpenShift cluster.
|
||
|
Understanding identity provider configuration | Authentication | OpenShift
|
||
|
Container Platform 4.5. Once an identity provider has been defined,
|
||
|
you can use RBAC to define and apply permissions.
|
||
|
After you define an identity provider and create a new cluster-admin user,
|
||
|
remove the kubeadmin user to improve cluster security.
|
||
|
scored: false
|
||
|
|
||
|
- id: 3.2
|
||
|
text: "Logging"
|
||
|
checks:
|
||
|
- id: 3.2.1
|
||
|
text: "Ensure that a minimal audit policy is created (Manual)"
|
||
|
audit: |
|
||
|
#To view kube apiserver log files
|
||
|
oc adm node-logs --role=master --path=kube-apiserver/
|
||
|
#To view openshift apiserver log files
|
||
|
oc adm node-logs --role=master --path=openshift-apiserver/
|
||
|
#To verify kube apiserver audit config
|
||
|
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
|
||
|
#To verify openshift apiserver audit config
|
||
|
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
|
||
|
type: manual
|
||
|
remediation: |
|
||
|
No remediation required.
|
||
|
scored: false
|
||
|
|
||
|
- id: 3.2.2
|
||
|
text: "Ensure that the audit policy covers key security concerns (Manual)"
|
||
|
audit: |
|
||
|
#To verify openshift apiserver audit config
|
||
|
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
|
||
|
#To verify kube apiserver audit config
|
||
|
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
|
||
|
type: manual
|
||
|
remediation: |
|
||
|
In OpenShift 4.6 and higher, if appropriate for your needs,
|
||
|
modify the audit policy.
|
||
|
scored: false
|