diff --git a/cfg/master.yaml b/cfg/master.yaml index 46aeb36..874b9cc 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -479,19 +479,14 @@ groups: parameter to \"--experimental-encryption-provider-config=\"" scored: true -# TODO: provide flag to WARN of manual tasks which we can't automate. - id: 1.1.35 text: "Ensure that the encryption provider is set to aescbc (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" - tests: - test_items: - - flag: "requires manual intervention" - set: true + type: "manual" remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc as the encryption provider" scored: true - - id: 1.2 text: "Scheduler" checks: @@ -573,7 +568,13 @@ groups: KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=" scored: true -# TODO: 1.3.6 is manual, provide way to WARN + - id: 1.3.6 + text: "Apply Security Context to Your Pods and Containers (Not Scored)" + type: "manual" + remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include + \"--feature-gates=RotateKubeletServerCertificate=true\"" + scored: false - id: 1.3.7 text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" @@ -717,6 +718,20 @@ groups: chmod 700 /var/lib/etcd/default.etcd" scored: true + - id: 1.4.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command:\n + ps -ef | grep etcd\n + Run the below command (based on the etcd data directory found above). For example,\n + chown etcd:etcd /var/lib/etcd/default.etcd" + scored: true + - id: 1.5 text: "etcd" checks: @@ -859,3 +874,65 @@ groups: remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service." scored: false + +- id: 1.6 + text: "General Security Primitives" + checks: + - id: 1.6.1 + text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + type: "manual" + remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" + scored: false + + - id: 1.6.2 + text: "Create Pod Security Policies for your cluster (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. + Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the + suggested Pod Security Policies for your environment." + scored: false + + - id: 1.6.3 + text: "Create administrative boundaries between resources using namespaces (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create namespaces for objects in your deployment as you + need them." + scored: false + + - id: 1.6.4 + text: "Create network segmentation using Network Policies (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create NetworkPolicy objects as you need them." + scored: false + + - id: 1.6.5 + text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" + type: "manual" + remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you + would need to enable alpha features in the apiserver by passing \"--feature- + gates=AllAlpha=true\" argument.\n + Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to \"--feature-gates=AllAlpha=true\" + KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" + scored: false + + - id: 1.6.6 + text: "Apply Security Context to Your Pods and Containers (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a + suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker + Containers." + scored: false + + - id: 1.6.7 + text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and setup image provenance." + scored: false + + - id: 1.6.8 + text: "Configure Network policies as appropriate (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." + scored: false + diff --git a/cfg/node.yaml b/cfg/node.yaml index 94e48f7..346ddd1 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -285,7 +285,6 @@ groups: \nFor example, chown root:root $proxyconf" scored: true -# TODO: provide flag to WARN about manual checks. - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" @@ -298,7 +297,6 @@ groups: \nchmod 644 " scored: true -# TODO: provide flag to WARN about manual checks. - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root" audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi" diff --git a/check/check.go b/check/check.go index 5d8221a..1f23a9e 100644 --- a/check/check.go +++ b/check/check.go @@ -61,6 +61,7 @@ type Check struct { ID string `yaml:"id" json:"id"` Text string Audit string `json:"omit"` + Type string `json:"type"` Commands []*exec.Cmd `json:"omit"` Tests *tests `json:"omit"` Set bool `json:"omit"` @@ -71,6 +72,12 @@ type Check struct { // Run executes the audit commands specified in a check and outputs // the results. func (c *Check) Run() { + // If check type is manual, force result to WARN. + if c.Type == "manual" { + c.State = WARN + return + } + var out bytes.Buffer var errmsgs string