text:"Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)"
audit:|
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
tests:
bin_op:or
test_items:
- flag:"File not found"
- flag:"permissions"
compare:
op:bitmask
@ -299,23 +302,25 @@ groups:
Run the below command (based on the file location on your system) on the control plane node.
text:"Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
audit:"find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a"
use_multiple_values:true
text:"Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit:|
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
tests:
bin_op:or
test_items:
- flag:"permissions"
compare:
op:bitmask
value:"600"
- flag:"File not found"
remediation:|
Run the below command (based on the file location on your system) on the control plane node.
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
@ -840,7 +839,7 @@ groups:
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
Enabling encryption changes how data can be recovered as data is encrypted.
scored:false
scored:true
- id:1.2.32
text:"Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"
audit:'/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c permissions=%a /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op:or
test_items:
- flag:"permissions"
compare:
op:bitmask
value:"600"
- flag:"File not found"
remediation:|
Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>
scored:true
- id:4.1.8
text:"Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit:'/bin/sh -c "if test -e /node/etc/kubernetes/ssl/kube-ca.pem; then stat -c %U:%G /node/etc/kubernetes/ssl/kube-ca.pem; else echo \"File not found\"; fi"'
tests:
bin_op:or
test_items:
- flag:root:root
compare:
op:eq
value:root:root
- flag:"File not found"
remediation:|
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
scored:true
- id:4.1.9
text:"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)"
type:"skip"
text:"If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
@ -136,8 +133,7 @@ groups:
scored:true
- id:4.1.10
text:"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
type:"skip"
text:"If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)"
audit:'/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
@ -323,7 +319,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
type:"skip"
type:"manual"
audit:"/bin/ps -fC $kubeletbin "
tests:
test_items:
@ -361,8 +357,7 @@ groups:
scored:true
- id:4.2.10
text:"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
type:"skip"
text:"Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
@ -384,7 +379,7 @@ groups:
systemctl daemon-reload
systemctl restart kubelet.service
When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
scored:false
scored:true
- id:4.2.11
text:"Ensure that the --rotate-certificates argument is not set to false (Automated)"
@ -415,7 +410,7 @@ groups:
- id:4.2.12
text:"Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type:"skip"
type:"manual"
audit:"/bin/ps -fC $kubeletbin"
audit_config:"/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "