kube-bench/integration/testdata/cis-1.3/job-node.data

[INFO] 2 Worker Node Security Configuration
[INFO] 2.1 Kubelet
[FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored)
[PASS] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored)
[PASS] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
[FAIL] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
[PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
[PASS] 2.1.9 Ensure that the --hostname-override argument is not set (Scored)
[FAIL] 2.1.10 Ensure that the --event-qps argument is set to 0 (Scored)
[FAIL] 2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 2.1.12 Ensure that the --cadvisor-port argument is set to 0 (Scored)
[PASS] 2.1.13 Ensure that the --rotate-certificates argument is not set to false (Scored)
[FAIL] 2.1.14 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
[WARN] 2.1.15 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 2.2 Configuration Files
[PASS] 2.2.1 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.2 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
[PASS] 2.2.3 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)

== Remediations ==
2.1.1 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.5 If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.7 If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.10 If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.11 If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.14 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

2.1.15 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

2.2.5 Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 /etc/kubernetes/proxy.conf

2.2.6 Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root /etc/kubernetes/proxy.conf

2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>


== Summary ==
15 checks PASS
8 checks FAIL
2 checks WARN
0 checks INFO
Add warn reason (#547) * Update check.go Added new warn_reason value which gives a brief explanation about why the not scored tests failed * Update common.go Changed when a not scored test fails because it has a wrong syntax audit command or just running something that can't be run the print the failure. but if the test just fails because it doesn't line up with the cis hardening recommendations then print the remediation text. * Update check/check.go fix typo Co-Authored-By: Liz Rice <liz@lizrice.com> * Update check.go * Update common.go * Update check.go added back os.Exit(1) to exitWithError * Update job-master.data Change some tests output to fit warn reason. (No change to the summary) * Update job-node.data Changed some tests output to fit warn reason. (No change to the summary) * Update job.data Change some tests output to fit warn reason. (No change to the summary) * Update common.go Keep to old way to print manual test output Co-authored-by: Liz Rice <liz@lizrice.com> Co-authored-by: Roberto Rojas <robertojrojas@gmail.com> 2020-03-05 12:20:26 +00:00			`[INFO] 2 Worker Node Security Configuration`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`[INFO] 2.1 Kubelet`
Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`[FAIL] 2.1.1 Ensure that the --allow-privileged argument is set to false (Scored)`
			`[PASS] 2.1.2 Ensure that the --anonymous-auth argument is set to false (Scored)`
			`[PASS] 2.1.3 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)`
			`[PASS] 2.1.4 Ensure that the --client-ca-file argument is set as appropriate (Scored)`
			`[FAIL] 2.1.5 Ensure that the --read-only-port argument is set to 0 (Scored)`
			`[PASS] 2.1.6 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)`
			`[FAIL] 2.1.7 Ensure that the --protect-kernel-defaults argument is set to true (Scored)`
			`[PASS] 2.1.8 Ensure that the --make-iptables-util-chains argument is set to true (Scored)`
			`[PASS] 2.1.9 Ensure that the --hostname-override argument is not set (Scored)`
			`[FAIL] 2.1.10 Ensure that the --event-qps argument is set to 0 (Scored)`
			`[FAIL] 2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)`
			`[PASS] 2.1.12 Ensure that the --cadvisor-port argument is set to 0 (Scored)`
			`[PASS] 2.1.13 Ensure that the --rotate-certificates argument is not set to false (Scored)`
			`[FAIL] 2.1.14 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)`
			`[WARN] 2.1.15 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`[INFO] 2.2 Configuration Files`
			`[PASS] 2.2.1 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)`
			`[PASS] 2.2.2 Ensure that the kubelet.conf file ownership is set to root:root (Scored)`
			`[PASS] 2.2.3 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)`
			`[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)`
			`[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)`
			`[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)`
Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)`
			`[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)`
			`[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)`

			`== Remediations ==`
Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.1 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`
			`on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.`
			`--allow-privileged=false`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

			`2.1.5 If using a Kubelet config file, edit the file to set readOnlyPort to 0 .`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`If using command line arguments, edit the kubelet service file`
			`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and`
			`set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.`
			`--read-only-port=0`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.7 If using a Kubelet config file, edit the file to set protectKernelDefaults: true .`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`If using command line arguments, edit the kubelet service file`
			`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and`
			`set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.`
			`--protect-kernel-defaults=true`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.10 If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`If using command line arguments, edit the kubelet service file`
			`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and`
			`set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.`
			`--event-qps=0`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.11 If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the`
			`corresponding private key file.`
			`If using command line arguments, edit the kubelet service file`
			`/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and`
			`set the below parameters in KUBELET_CERTIFICATE_ARGS variable.`
			`--tls-cert-file=<path/to/tls-certificate-file>`
			`file=<path/to/tls-key-file>`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.14 Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`
Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.`
			`--feature-gates=RotateKubeletServerCertificate=true`
			`Based on your system, restart the kubelet service. For example:`
			`systemctl daemon-reload`
			`systemctl restart kubelet.service`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.1.15 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256`
			`If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter.`
			`--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256`

Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00			`2.2.5 Run the below command (based on the file location on your system) on the each worker`
			`node. For example,`
			`chmod 644 /etc/kubernetes/proxy.conf`

			`2.2.6 Run the below command (based on the file location on your system) on the each worker`
			`node. For example,`
			`chown root:root /etc/kubernetes/proxy.conf`

Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`2.2.7 Run the following command to modify the file permissions of the --client-ca-file`
			`chmod 644 <filename>`

Fixes issue #439: Adds integration testing using KIND (#520) * Fixes issue #439: Adds integration testing using KIND * try integration tests * started using ticker and timeouts * trying built container image * adds load image into KIND * adds comparison * fixes as per PR review 2019-11-16 14:39:47 +00:00
			`== Summary ==`
Add integration tests for cis 1.3 and cis 1.5 (#609) * Remove unnecessary whitespaces * Fix a typo * Add integration tests for cis 1.3 and cis 1.5 * Change the timeout of integration tests from 600s to 1200s * Avoid repeated codes 2020-05-20 17:30:52 +00:00			`15 checks PASS`
			`8 checks FAIL`
			`2 checks WARN`
			`0 checks INFO`