if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
tests:
tests:
bin_op:or
test_items:
test_items:
- flag:"File not found"
- flag:"permissions"
- flag:"permissions"
compare:
compare:
op:bitmask
op:bitmask
@ -299,23 +302,25 @@ groups:
Run the below command (based on the file location on your system) on the control plane node.
Run the below command (based on the file location on your system) on the control plane node.
text:"Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
text:"Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit:"find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a"
audit:|
use_multiple_values:true
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
tests:
tests:
bin_op:or
test_items:
test_items:
- flag:"permissions"
- flag:"permissions"
compare:
compare:
op:bitmask
op:bitmask
value:"600"
value:"600"
- flag:"File not found"
remediation:|
remediation:|
Run the below command (based on the file location on your system) on the control plane node.
Run the below command (based on the file location on your system) on the control plane node.
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
@ -840,7 +839,7 @@ groups:
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
In this file, choose aescbc, kms or secretbox as the encryption provider.
Enabling encryption changes how data can be recovered as data is encrypted.
Enabling encryption changes how data can be recovered as data is encrypted.
scored:false
scored:true
- id:1.2.32
- id:1.2.32
text:"Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"
text:"Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"
audit:'/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
tests:
bin_op:or
test_items:
test_items:
- flag:"permissions"
- flag:"permissions"
compare:
compare:
op:bitmask
op:bitmask
value:"600"
value:"600"
- flag:"File not found"
remediation:|
remediation:|
Run the following command to modify the file permissions of the
Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>
--client-ca-file chmod 600 <filename>
scored:true
scored:true
- id:4.1.8
- id:4.1.8
text:"Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
text:"Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit:'/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
tests:
bin_op:or
test_items:
test_items:
- flag:root:root
- flag:root:root
compare:
- flag:"File not found"
op:eq
value:root:root
remediation:|
remediation:|
Run the following command to modify the ownership of the --client-ca-file.
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
chown root:root <filename>
scored:true
scored:true
- id:4.1.9
- id:4.1.9
text:"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)"
text:"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
type:"skip"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
tests:
test_items:
test_items:
@ -136,8 +133,7 @@ groups:
scored:true
scored:true
- id:4.1.10
- id:4.1.10
text:"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
text:"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)"
type:"skip"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
tests:
test_items:
test_items:
@ -323,7 +319,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
# instead reading the Kubelet Configuration file.
type:"skip"
type:"manual"
audit:"/bin/ps -fC $kubeletbin "
audit:"/bin/ps -fC $kubeletbin "
tests:
tests:
test_items:
test_items:
@ -361,8 +357,7 @@ groups:
scored:true
scored:true
- id:4.2.10
- id:4.2.10
text:"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
text:"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
type:"skip"
audit:"/bin/ps -fC $kubeletbin"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
tests:
@ -384,7 +379,7 @@ groups:
systemctl daemon-reload
systemctl daemon-reload
systemctl restart kubelet.service
systemctl restart kubelet.service
When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
scored:false
scored:true
- id:4.2.11
- id:4.2.11
text:"Ensure that the --rotate-certificates argument is not set to false (Automated)"
text:"Ensure that the --rotate-certificates argument is not set to false (Automated)"
@ -415,7 +410,7 @@ groups:
- id:4.2.12
- id:4.2.12
text:"Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
text:"Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type:"skip"
type:"manual"
audit:"/bin/ps -fC $kubeletbin"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "