2017-05-26 09:25:29 +00:00
|
|
|
---
|
|
|
|
controls:
|
|
|
|
id: 1
|
|
|
|
text: "Master Node Security Configuration"
|
|
|
|
type: "master"
|
|
|
|
groups:
|
|
|
|
- id: 1.1
|
|
|
|
text: "API Server"
|
|
|
|
checks:
|
|
|
|
- id: 1.1.1
|
|
|
|
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "allow-privileged"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/config file on the master node and set
|
|
|
|
the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.2
|
|
|
|
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--anonymous-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set
|
|
|
|
the KUBE_API_ARGS parameter to \"--anonymous-auth=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.3
|
|
|
|
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--basic-auth-file"
|
|
|
|
set: false
|
|
|
|
remediation: "Follow the documentation and configure alternate mechanisms for
|
|
|
|
authentication. Then, edit the $kubeConfDir/apiserver file on the master
|
|
|
|
node and remove the \"--basic-auth-file=<filename>\" argument from the
|
|
|
|
KUBE_API_ARGS parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.4
|
|
|
|
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--insecure-allow-any-token"
|
|
|
|
set: false
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
|
|
|
the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.5
|
|
|
|
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--kubelet-https"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
|
|
|
the --kubelet-https argument from the KUBE_API_ARGS parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.6
|
|
|
|
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--insecure-bind-address"
|
|
|
|
set: false
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and remove
|
|
|
|
the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.7
|
|
|
|
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--insecure-port"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set
|
|
|
|
--insecure-port=0 in the KUBE_API_PORT parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.8
|
|
|
|
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--secure-port"
|
|
|
|
compare:
|
|
|
|
op: gt
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
- flag: "--secure-port"
|
|
|
|
set: false
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and either
|
|
|
|
remove the --secure-port argument from the KUBE_API_ARGS parameter or set
|
|
|
|
it to a different desired port."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.9
|
|
|
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--profiling"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--profiling=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.10
|
|
|
|
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--repair-malformed-updates"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.11
|
|
|
|
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: nothave
|
|
|
|
value: AlwaysAdmit
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.12
|
|
|
|
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "AlwaysPullImages"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.13
|
|
|
|
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "DenyEscalatingExec"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.14
|
|
|
|
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "SecurityContextDeny"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.15
|
|
|
|
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "NamespaceLifecycle"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.16
|
|
|
|
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--audit-log-path"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--audit-log-path=<filename>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.17
|
|
|
|
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--audit-log-maxage"
|
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 30
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--audit-log-maxage=30\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.18
|
|
|
|
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--audit-log-maxbackup"
|
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 10
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.19
|
|
|
|
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--audit-log-maxsize"
|
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 100
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.20
|
|
|
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--authorization-mode"
|
|
|
|
compare:
|
|
|
|
op: nothave
|
|
|
|
value: "AlwaysAllow"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.21
|
|
|
|
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--token-auth-file"
|
|
|
|
set: false
|
|
|
|
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
|
|
|
Then, edit the $kubeConfDir/apiserver file on the master node and remove the
|
|
|
|
\"--tokenauth-file=<filename>\" argument from the KUBE_API_ARGS parameter."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.22
|
|
|
|
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--kubelet-certificate-authority"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
|
|
|
the apiserver and kubelets. Then, edit the $kubeConfDir/apiserver file on the
|
|
|
|
master node and set the KUBE_API_ARGS parameter to
|
|
|
|
\"--kubelet-certificate-authority=<ca-string>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.23
|
|
|
|
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
- flag: "--kubelet-client-certificate"
|
|
|
|
set: true
|
|
|
|
- flag: "--kubelet-client-key"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
|
|
|
and kubelets. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=<path/to/client-certificate-file>\"
|
|
|
|
and \"--kubelet-clientkey=<path/to/client-key-file>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.24
|
|
|
|
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--service-account-lookup"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS parameter
|
|
|
|
to \"--service-account-lookup=true\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.25
|
|
|
|
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "PodSecurityPolicy"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the documentation and create Pod Security Policy objects as per your environment.
|
|
|
|
Then, edit the $kubeConfDir/apiserver file on the master node and set the KUBE_ADMISSION_CONTROL
|
|
|
|
parameter to \"--admission-control=...,PodSecurityPolicy,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.26
|
|
|
|
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--service-account-key-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS
|
|
|
|
parameter to \"--service-account-key-file=<filename>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.27
|
|
|
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
- flag: "--etcd-certfile"
|
|
|
|
set: true
|
|
|
|
- flag: "--etcd-keyfile"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
|
|
|
and etcd. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to include \"--etcd-certfile=<path/to/clientcertificate-file>\"
|
|
|
|
and \"--etcd-keyfile=<path/to/client-key-file>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.28
|
|
|
|
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: "ServiceAccount"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the documentation and create ServiceAccount objects as per your environment.
|
|
|
|
Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.29
|
|
|
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
- flag: "--tls-cert-file"
|
|
|
|
set: true
|
|
|
|
- flag: "--tls-private-key-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
|
|
|
Then, edit the $kubeConfDir/apiserver file on the master node and set the KUBE_API_ARGS parameter to
|
|
|
|
include \"--tls-cert-file=<path/to/tls-certificatefile>\" and
|
|
|
|
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.30
|
|
|
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--client-ca-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
|
|
|
Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to include \"--client-ca-file=<path/to/client-ca-file>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.1.31
|
|
|
|
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--etcd-cafile"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
|
|
|
and etcd. Then, edit the $kubeConfDir/apiserver file on the master node and set the
|
|
|
|
KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.2
|
|
|
|
text: "Scheduler"
|
|
|
|
checks:
|
|
|
|
- id: 1.2.1
|
|
|
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-scheduler | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--profiling"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/scheduler file on the master node and set the KUBE_SCHEDULER_ARGS
|
|
|
|
parameter to \"--profiling=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3
|
|
|
|
text: "Controller Manager"
|
|
|
|
checks:
|
|
|
|
- id: 1.3.1
|
|
|
|
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--terminated-pod-gc-threshold"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=<appropriate-number>\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3.2
|
|
|
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--profiling"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3.3
|
|
|
|
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
|
|
|
|
set: false
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and remove
|
|
|
|
the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3.4
|
|
|
|
text: "Ensure that the --use-service-account-credentials argument is set"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--use-service-account-credentials"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3.5
|
|
|
|
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--service-account-private-key-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.3.6
|
|
|
|
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep kube-controller-manager | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--root-ca-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the $kubeConfDir/controller-manager file on the master node and set the
|
|
|
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4
|
|
|
|
text: "Configure Files"
|
|
|
|
checks:
|
|
|
|
- id: 1.4.1
|
|
|
|
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/apiserver; then stat -c %a $kubeConfDir/apiserver; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "644"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chmod 644 $kubeConfDir/apiserver"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.2
|
|
|
|
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/apiserver; then stat -c %U:%G $kubeConfDir/apiserver; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "root:root"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chown root:root $kubeConfDir/apiserver"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.3
|
|
|
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/config; then stat -c %a $kubeConfDir/config; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "644"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chmod 644 $kubeConfDir/config"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.4
|
|
|
|
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/config; then stat -c %U:%G $kubeConfDir/config; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "root:root"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chown root:root $kubeConfDir/config"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.5
|
|
|
|
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/scheduler; then stat -c %a $kubeConfDir/scheduler; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "644"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chmod 644 $kubeConfDir/scheduler"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.6
|
|
|
|
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $kubeConfDir/scheduler; then stat -c %U:%G $kubeConfDir/scheduler; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "root:root"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chown root:root $kubeConfDir/scheduler"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.7
|
|
|
|
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $etcdConfDir/etcd.conf; then stat -c %a $etcdConfDir/etcd.conf; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "644"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chmod 644 $etcdConfDir/etcd.conf"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.8
|
|
|
|
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e $etcdConfDir/kubelet; then stat -c %U:%G $etcdConfDir/etcd.conf; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "root:root"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chown root:root $etcdConfDir/etcd.conf"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.9
|
|
|
|
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %a /etc/sysconfig/flanneld; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "644"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chmod 644 /etc/sysconfig/flanneld"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.4.10
|
|
|
|
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
2017-06-19 20:17:19 +00:00
|
|
|
audit: "if test -e /etc/sysconfig/flanneld; then stat -c %U:%G /etc/sysconfig/flanneld; fi"
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "root:root"
|
|
|
|
set: true
|
|
|
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
|
|
|
\nFor example, chown root:root /etc/sysconfig/flanneld"
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
# TODO: Resolve issue get pipeline to work.
|
|
|
|
# - id: 1.4.11
|
|
|
|
# - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
|
|
|
# - audit: "ps -ef | grep etcd | grep -v grep | sed 's,.*--data-dir=\\(.*\\)\\s.*,\\1,' | xargs stat -c %a"
|
|
|
|
# - tests:
|
|
|
|
# - test_items:
|
|
|
|
# - - flag: "700"
|
|
|
|
# - set: true
|
|
|
|
# - remediation: ""
|
|
|
|
# - scored: true
|
|
|
|
|
|
|
|
- id: 1.5
|
|
|
|
text: "etcd"
|
|
|
|
checks:
|
|
|
|
- id: 1.5.1
|
|
|
|
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--cert-file"
|
|
|
|
set: true
|
|
|
|
- flag: "--key-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the etcd service documentation and configure TLS encryption."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.2
|
|
|
|
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the etcd envrironment file (for example, $etcdConfDir/etcd.conf) on the
|
|
|
|
etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\".
|
|
|
|
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
|
|
|
and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.3
|
|
|
|
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--auto-tls"
|
|
|
|
set: false
|
|
|
|
- flag: "--auto-tls"
|
|
|
|
compare:
|
|
|
|
op: neq
|
|
|
|
value: true
|
|
|
|
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server
|
|
|
|
node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example,
|
|
|
|
/etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter
|
|
|
|
for --auto-tls."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.4
|
|
|
|
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-cert-file"
|
|
|
|
set: true
|
|
|
|
- flag: "--peer-key-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
|
|
|
|
one etcd server in your environment then this recommendation is not applicable.
|
|
|
|
Follow the etcd service documentation and configure peer TLS encryption as appropriate for
|
|
|
|
your etcd cluster."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.5
|
|
|
|
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
|
|
|
|
one etcd server in your environment then this recommendation is not applicable.
|
|
|
|
Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
|
|
|
and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file
|
|
|
|
(for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the
|
|
|
|
startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.6
|
|
|
|
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-auto-tls"
|
|
|
|
set: false
|
|
|
|
- flag: "--peer-auto-tls"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
|
|
|
remediation: "Note: This recommendation is applicable only for etcd clusters.
|
|
|
|
If you are using only one etcd server in your environment then this recommendation is
|
|
|
|
not applicable. Edit the etcd environment file (for example, $etcdConfDir/etcd.conf)
|
|
|
|
on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter.
|
|
|
|
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
|
|
|
and remove the startup parameter for --peer-auto-tls."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.7
|
|
|
|
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--wal-dir"
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
|
|
|
and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example,
|
|
|
|
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for
|
|
|
|
--wal-dir and set it to \"${ETCD_WAL_DIR}\""
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.8
|
|
|
|
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--max-wals"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
remediation: "Edit the etcd environment file (for example, $etcdConfDir/etcd.conf) on the etcd server node
|
|
|
|
and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example,
|
|
|
|
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter
|
|
|
|
for --max-wals and set it to \"${ETCD_MAX_WALS}\"."
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
- id: 1.5.9
|
|
|
|
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
|
|
|
audit: "ps -ef | grep etcd | grep -v grep"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--trusted-ca-file"
|
|
|
|
set: true
|
|
|
|
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
|
|
|
|
etcd service."
|
|
|
|
scored: false
|