mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-19 21:28:07 +00:00
Merge pull request #212 from aquasecurity/ocp-configs
OCP benchmarks and configs
This commit is contained in:
commit
2d4c7e8b42
35
cfg/ocp-3.10/config.yaml
Normal file
35
cfg/ocp-3.10/config.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
## Controls Files.
|
||||
# These are YAML files that hold all the details for running checks.
|
||||
#
|
||||
## Uncomment to use different control file paths.
|
||||
# masterControls: ./cfg/master.yaml
|
||||
# nodeControls: ./cfg/node.yaml
|
||||
# federatedControls: ./cfg/federated.yaml
|
||||
|
||||
master:
|
||||
apiserver:
|
||||
bins:
|
||||
- openshift start master api
|
||||
defaultconf: /etc/origin/master/master-config.yaml
|
||||
|
||||
scheduler:
|
||||
bins:
|
||||
- openshift start master controllers
|
||||
defaultconf: /etc/origin/master/master-config.yaml
|
||||
|
||||
controllermanager:
|
||||
bins:
|
||||
- openshift start master controllers
|
||||
defaultconf: /etc/origin/master/master-config.yaml
|
||||
|
||||
etcd:
|
||||
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||
|
||||
node:
|
||||
kubelet:
|
||||
defaultconf: /etc/kubernetes/kubelet.conf
|
||||
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
||||
|
||||
proxy:
|
||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
113
cfg/ocp-3.10/federated.yaml
Normal file
113
cfg/ocp-3.10/federated.yaml
Normal file
@ -0,0 +1,113 @@
|
||||
---
|
||||
controls:
|
||||
id: 3
|
||||
text: "Federated Deployments"
|
||||
type: "federated"
|
||||
groups:
|
||||
- id: 3.1
|
||||
text: "Federated API Server"
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.5
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.6
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.7
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.8
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.9
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.10
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.11
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.12
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.13
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.14
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.15
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.16
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.17
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.18
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.19
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
|
||||
- id: 3.2
|
||||
text: "Federation Controller Manager"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
1500
cfg/ocp-3.10/master.yaml
Normal file
1500
cfg/ocp-3.10/master.yaml
Normal file
File diff suppressed because it is too large
Load Diff
376
cfg/ocp-3.10/node.yaml
Normal file
376
cfg/ocp-3.10/node.yaml
Normal file
@ -0,0 +1,376 @@
|
||||
---
|
||||
controls:
|
||||
id: 2
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
groups:
|
||||
- id: 2.1
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 2.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 2.1.3
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "authorization-mode"
|
||||
set: false
|
||||
- flag: "authorization-mode: Webhook"
|
||||
compare:
|
||||
op: has
|
||||
value: "Webhook"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
|
||||
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
|
||||
scored: true
|
||||
|
||||
- id: 2.1.4
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "client-ca-file"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
|
||||
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
|
||||
|
||||
Reset to the OpenShift default.
|
||||
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
|
||||
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.5
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "read-only-port"
|
||||
set: false
|
||||
- flag: "read-only-port: 0"
|
||||
compare:
|
||||
op: has
|
||||
value: "0"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.6
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "streaming-connection-idle-timeout"
|
||||
set: false
|
||||
- flag: "0"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
|
||||
value like the following in node-config.yaml.
|
||||
|
||||
kubeletArguments:
|
||||
streaming-connection-idle-timeout:
|
||||
- "5m"
|
||||
scored: true
|
||||
|
||||
- id: 2.1.7
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 2.1.8
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "make-iptables-util-chains"
|
||||
set: false
|
||||
- flag: "make-iptables-util-chains: true"
|
||||
compare:
|
||||
op: has
|
||||
value: "true"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
|
||||
default value of true.
|
||||
scored: true
|
||||
|
||||
id: 2.1.9
|
||||
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
|
||||
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "keep-terminated-pod-volumes: false"
|
||||
compare:
|
||||
op: has
|
||||
value: "false"
|
||||
set: true
|
||||
remediation: |
|
||||
Reset to the OpenShift defaults
|
||||
scored: true
|
||||
|
||||
- id: 2.1.10
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 2.1.11
|
||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "event-qps"
|
||||
set: false
|
||||
- flag: "event-qps: 0"
|
||||
compare:
|
||||
op: has
|
||||
value: "0"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
|
||||
the kubeletArguments section of.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.12
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "/etc/origin/node/certificates"
|
||||
compare:
|
||||
op: has
|
||||
value: "/etc/origin/node/certificates"
|
||||
set: true
|
||||
remediation: |
|
||||
Reset to the OpenShift default values.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.13
|
||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "cadvisor-port"
|
||||
set: false
|
||||
- flag: "cadvisor-port: 0"
|
||||
compare:
|
||||
op: has
|
||||
value: "0"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
|
||||
if it is set in the kubeletArguments section.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.14
|
||||
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
|
||||
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "RotateKubeletClientCertificate=true"
|
||||
compare:
|
||||
op: has
|
||||
value: "true"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
|
||||
scored: true
|
||||
|
||||
- id: 2.1.15
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
|
||||
test:
|
||||
test_items:
|
||||
- flag: "RotateKubeletServerCertificate=true"
|
||||
compare:
|
||||
op: has
|
||||
value: "true"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
|
||||
scored: true
|
||||
|
||||
|
||||
- id: 2.2
|
||||
text: "Configuration Files"
|
||||
checks:
|
||||
- id: 2.2.1
|
||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chmod 644 /etc/origin/node/node.kubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.2
|
||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chown root:root /etc/origin/node/node.kubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.3
|
||||
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chmod 644 /etc/systemd/system/atomic-openshift-node.service
|
||||
scored: true
|
||||
|
||||
- id: 2.2.4
|
||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
||||
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chown root:root /etc/systemd/system/atomic-openshift-node.service
|
||||
scored: true
|
||||
|
||||
- id: 2.2.5
|
||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chmod 644 /etc/origin/node/node.kubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.6
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chown root:root /etc/origin/node/node.kubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "stat -c %a /etc/origin/node/client-ca.crt"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chmod 644 /etc/origin/node/client-ca.crt
|
||||
scored: true
|
||||
|
||||
- id: 2.2.8
|
||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
||||
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command on each worker node.
|
||||
chown root:root /etc/origin/node/client-ca.crt
|
||||
scored: true
|
@ -78,6 +78,7 @@ type Check struct {
|
||||
// the results.
|
||||
func (c *Check) Run() {
|
||||
|
||||
// If check type is skip, force result to INFO
|
||||
if c.Type == "skip" {
|
||||
c.State = INFO
|
||||
return
|
||||
|
@ -144,6 +144,12 @@ type tests struct {
|
||||
func (ts *tests) execute(s string) *testOutput {
|
||||
finalOutput := &testOutput{}
|
||||
|
||||
// If no tests are defined return with empty finalOutput.
|
||||
// This may be the case for checks of type: "skip".
|
||||
if ts == nil {
|
||||
return finalOutput
|
||||
}
|
||||
|
||||
res := make([]testOutput, len(ts.TestItems))
|
||||
if len(res) == 0 {
|
||||
return finalOutput
|
||||
|
@ -157,7 +157,7 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
|
||||
colors[check.WARN].Printf("== Remediations ==\n")
|
||||
for _, g := range r.Groups {
|
||||
for _, c := range g.Checks {
|
||||
if c.State != check.PASS {
|
||||
if c.State == check.FAIL || c.State == check.WARN {
|
||||
fmt.Printf("%s %s\n", c.ID, c.Remediation)
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user