mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
Updating the rh-1.0 OCP checks (#1548)
1. Added audit commands wherever required. 2. Updated the scripts with type to manual to match the title. 3. Updated the scripts with test_items wherever required. 4. Fixed a typo.
This commit is contained in:
parent
38949874d1
commit
13da372a87
@ -67,7 +67,7 @@ groups:
|
||||
op: eq
|
||||
value: "1"
|
||||
remediation: |
|
||||
This setting is managed by the cluster etcd operator. No remediation required.e
|
||||
This setting is managed by the cluster etcd operator. No remediation required.
|
||||
scored: false
|
||||
|
||||
- id: 2.4
|
||||
|
@ -864,7 +864,6 @@ groups:
|
||||
remediation: |
|
||||
Follow the documentation for log forwarding. Forwarding logs to third party systems
|
||||
https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html
|
||||
|
||||
scored: false
|
||||
|
||||
- id: 1.2.24
|
||||
@ -1070,6 +1069,12 @@ groups:
|
||||
- id: 1.2.35
|
||||
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
|
||||
type: manual
|
||||
audit: |
|
||||
# verify cipher suites
|
||||
oc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\-0\-config\-system\-cliconfig}' | jq .servingInfo
|
||||
oc get kubeapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
|
||||
oc get openshiftapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
|
||||
oc describe --namespace=openshift-ingress-operator ingresscontroller/default
|
||||
remediation: |
|
||||
Verify that the tlsSecurityProfile is set to the value you chose.
|
||||
Note: The HAProxy Ingress controller image does not support TLS 1.3
|
||||
|
@ -222,15 +222,12 @@ groups:
|
||||
audit: |
|
||||
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
|
||||
do
|
||||
oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf
|
||||
oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf | awk -F': ' '{ print "clientCAFile=" $2 }'
|
||||
done 2> /dev/null
|
||||
use_multiple_values: true
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "clientCAFile"
|
||||
compare:
|
||||
op: eq
|
||||
value: "/etc/kubernetes/kubelet-ca.crt"
|
||||
- flag: clientCAFile="/etc/kubernetes/kubelet-ca.crt"
|
||||
remediation: |
|
||||
None required. Changing the clientCAFile value is unsupported.
|
||||
scored: true
|
||||
@ -278,6 +275,10 @@ groups:
|
||||
compare:
|
||||
op: noteq
|
||||
value: 0
|
||||
- flag: streamingConnectionIdleTimeout
|
||||
compare:
|
||||
op: noteq
|
||||
value: 0s
|
||||
- flag: "exit_code"
|
||||
compare:
|
||||
op: eq
|
||||
|
@ -11,6 +11,12 @@ groups:
|
||||
- id: 5.1.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#To get a list of users and service accounts with the cluster-admin role
|
||||
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
|
||||
grep cluster-admin
|
||||
#To verity that kbueadmin is removed, no results should be returned
|
||||
oc get secrets kubeadmin -n kube-system
|
||||
remediation: |
|
||||
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
||||
if they need this role or if they could use a role with fewer privileges.
|
||||
@ -29,6 +35,15 @@ groups:
|
||||
- id: 5.1.3
|
||||
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#needs verification
|
||||
oc get roles --all-namespaces -o yaml
|
||||
for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
|
||||
describe clusterrole ${i}; done
|
||||
#Retrieve the cluster roles defined in the cluster and review for wildcards
|
||||
oc get clusterroles -o yaml
|
||||
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
|
||||
oc describe clusterrole ${i}; done
|
||||
remediation: |
|
||||
Where possible replace any use of wildcards in clusterroles and roles with specific
|
||||
objects or actions.
|
||||
@ -213,6 +228,9 @@ groups:
|
||||
- id: 5.3.2
|
||||
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#Run the following command and review the NetworkPolicy objects created in the cluster.
|
||||
oc -n all get networkpolicy
|
||||
remediation: |
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
@ -223,6 +241,10 @@ groups:
|
||||
- id: 5.4.1
|
||||
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#Run the following command to find references to objects which use environment variables defined from secrets.
|
||||
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
|
||||
{.metadata.name} {"\n"}{end}' -A
|
||||
remediation: |
|
||||
If possible, rewrite application code to read secrets from mounted secret files, rather than
|
||||
from environment variables.
|
||||
@ -252,6 +274,10 @@ groups:
|
||||
- id: 5.7.1
|
||||
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#Run the following command and review the namespaces created in the cluster.
|
||||
oc get namespaces
|
||||
#Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
|
||||
remediation: |
|
||||
Follow the documentation and create namespaces for objects in your deployment as you need
|
||||
them.
|
||||
@ -277,6 +303,11 @@ groups:
|
||||
- id: 5.7.4
|
||||
text: "The default namespace should not be used (Manual)"
|
||||
type: "manual"
|
||||
audit: |
|
||||
#Run this command to list objects in default namespace
|
||||
oc project default
|
||||
oc get all
|
||||
#The only entries there should be system managed resources such as the kubernetes and openshift service
|
||||
remediation: |
|
||||
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
||||
resources and that all new resources are created in a specific namespace.
|
||||
|
Loading…
Reference in New Issue
Block a user