diff --git a/cfg/cis-1.3/master.yaml b/cfg/cis-1.3/master.yaml index 45f64b4..b17e5c3 100644 --- a/cfg/cis-1.3/master.yaml +++ b/cfg/cis-1.3/master.yaml @@ -857,6 +857,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -902,6 +922,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -947,6 +987,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -992,6 +1052,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1094,6 +1174,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1138,6 +1238,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/scheduler.conf @@ -1180,6 +1300,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf diff --git a/cfg/cis-1.3/node.yaml b/cfg/cis-1.3/node.yaml index 813e86f..4928416 100644 --- a/cfg/cis-1.3/node.yaml +++ b/cfg/cis-1.3/node.yaml @@ -362,20 +362,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -405,20 +425,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -445,20 +485,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -520,20 +580,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the following command (using the config file location identied in the Audit step) diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml index c206623..fff55a8 100644 --- a/cfg/cis-1.4/master.yaml +++ b/cfg/cis-1.4/master.yaml @@ -859,6 +859,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -904,6 +924,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -949,6 +989,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -994,6 +1054,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1096,6 +1176,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -1140,6 +1240,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/scheduler.conf @@ -1182,6 +1302,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/controller-manager.conf @@ -1241,6 +1381,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | [Manual test] Run the below command (based on the file location on your system) on the master node. diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml index f600a99..ed7ac42 100644 --- a/cfg/cis-1.4/node.yaml +++ b/cfg/cis-1.4/node.yaml @@ -345,20 +345,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -388,20 +408,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -428,20 +468,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker @@ -521,20 +581,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the following command (using the config file location identied in the Audit step) diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index 7207685..28e31ab 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -29,6 +29,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. @@ -72,6 +92,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -115,6 +155,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -158,6 +218,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -253,6 +333,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -296,6 +396,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, @@ -339,6 +459,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command (based on the file location on your system) on the master node. For example, diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index e6cb34b..fc42b1f 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -14,20 +14,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker node. @@ -54,20 +74,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker node. @@ -93,20 +133,40 @@ groups: tests: test_items: - flag: "644" - set: true compare: op: eq value: "644" - - flag: "640" set: true + - flag: "640" compare: op: eq value: "640" - - flag: "600" set: true + - flag: "600" compare: op: eq value: "600" + set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the below command (based on the file location on your system) on the each worker node. @@ -173,6 +233,26 @@ groups: compare: op: eq value: "600" + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true bin_op: or remediation: | Run the following command (using the config file location identied in the Audit step) diff --git a/cfg/rh-0.7/master.yaml b/cfg/rh-0.7/master.yaml index 2169685..d7c98e7 100644 --- a/cfg/rh-0.7/master.yaml +++ b/cfg/rh-0.7/master.yaml @@ -962,6 +962,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command. @@ -1039,6 +1059,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command. @@ -1082,6 +1122,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command. @@ -1125,6 +1185,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command. diff --git a/cfg/rh-0.7/node.yaml b/cfg/rh-0.7/node.yaml index 9e0f0f4..23d116f 100644 --- a/cfg/rh-0.7/node.yaml +++ b/cfg/rh-0.7/node.yaml @@ -232,6 +232,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig @@ -273,6 +293,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command on each worker node. chmod 644 $nodesvc @@ -314,6 +354,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig @@ -355,6 +415,26 @@ groups: op: eq value: "600" set: true + - flag: "444" + compare: + op: eq + value: "444" + set: true + - flag: "440" + compare: + op: eq + value: "440" + set: true + - flag: "400" + compare: + op: eq + value: "400" + set: true + - flag: "000" + compare: + op: eq + value: "000" + set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/client-ca.crt