From 2d548597ae083b91f3637af309c011e2c317678b Mon Sep 17 00:00:00 2001 From: Huang Huang Date: Thu, 13 Aug 2020 02:57:51 +0800 Subject: [PATCH] Support CIS v1.5.1 (#673) --- README.md | 2 +- cfg/cis-1.5/master.yaml | 20 ++++++------ cfg/cis-1.5/node.yaml | 2 +- cfg/cis-1.5/policies.yaml | 10 +++--- integration/testdata/cis-1.5/job-master.data | 14 ++++---- integration/testdata/cis-1.5/job-node.data | 2 +- integration/testdata/cis-1.5/job.data | 34 ++++++++++---------- 7 files changed, 42 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 643528c..7d2afa0 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B |---|---|---| | [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 | | [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 | -| [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- | +| [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- | | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | diff --git a/cfg/cis-1.5/master.yaml b/cfg/cis-1.5/master.yaml index 58806cd..4d4b54d 100644 --- a/cfg/cis-1.5/master.yaml +++ b/cfg/cis-1.5/master.yaml @@ -303,7 +303,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)" + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)" audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a" use_multiple_values: true tests: @@ -317,10 +317,10 @@ groups: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt - scored: true + scored: false - id: 1.1.21 - text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)" + text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)" audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a" use_multiple_values: true tests: @@ -334,7 +334,7 @@ groups: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key - scored: true + scored: false - id: 1.2 text: "API Server" @@ -880,7 +880,7 @@ groups: scored: true - id: 1.2.33 - text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" + text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -890,16 +890,16 @@ groups: Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file $apiserverconf on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= - scored: true + scored: false - id: 1.2.34 - text: "Ensure that encryption providers are appropriately configured (Scored)" + text: "Ensure that encryption providers are appropriately configured (Not Scored)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider. - scored: true + scored: false - id: 1.2.35 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" @@ -921,7 +921,7 @@ groups: text: "Controller Manager" checks: - id: 1.3.1 - text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -932,7 +932,7 @@ groups: on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: --terminated-pod-gc-threshold=10 - scored: true + scored: false - id: 1.3.2 text: "Ensure that the --profiling argument is set to false (Scored)" diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 167fec8..da0c786 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -164,7 +164,7 @@ groups: text: "Kubelet" checks: - id: 4.2.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + text: "Ensure that the anonymous-auth argument is set to false (Scored)" audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/cat $kubeletconf" tests: diff --git a/cfg/cis-1.5/policies.yaml b/cfg/cis-1.5/policies.yaml index 3cf1d64..ace5282 100644 --- a/cfg/cis-1.5/policies.yaml +++ b/cfg/cis-1.5/policies.yaml @@ -184,10 +184,10 @@ groups: Follow the Kubernetes documentation and setup image provenance. scored: false - - id: 5.6 + - id: 5.7 text: "General Policies" checks: - - id: 5.6.1 + - id: 5.7.1 text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: | @@ -195,7 +195,7 @@ groups: them. scored: false - - id: 5.6.2 + - id: 5.7.2 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" remediation: | @@ -221,7 +221,7 @@ groups: image: sotrustworthy:latest scored: false - - id: 5.6.3 + - id: 5.7.3 text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | @@ -230,7 +230,7 @@ groups: Containers. scored: false - - id: 5.6.4 + - id: 5.7.4 text: "The default namespace should not be used (Scored)" type: "manual" remediation: | diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.5/job-master.data index a274118..da41747 100644 --- a/integration/testdata/cis-1.5/job-master.data +++ b/integration/testdata/cis-1.5/job-master.data @@ -19,8 +19,8 @@ [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) -[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) -[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) +[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored) +[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored) [INFO] 1.2 API Server [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) @@ -54,11 +54,11 @@ [PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored) -[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) -[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored) +[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored) +[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored) [WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [INFO] 1.3 Controller Manager -[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) +[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored) [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored) [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) @@ -171,6 +171,6 @@ on the master node and set the below parameter. == Summary == 44 checks PASS -13 checks FAIL -8 checks WARN +11 checks FAIL +10 checks WARN 0 checks INFO diff --git a/integration/testdata/cis-1.5/job-node.data b/integration/testdata/cis-1.5/job-node.data index 15d0a44..3865f4b 100644 --- a/integration/testdata/cis-1.5/job-node.data +++ b/integration/testdata/cis-1.5/job-node.data @@ -11,7 +11,7 @@ [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [INFO] 4.2 Kubelet -[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored) +[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored) [PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) [PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored) diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index 9fcaabe..142c7c0 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -19,8 +19,8 @@ [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) -[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) -[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) +[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored) +[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored) [INFO] 1.2 API Server [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) @@ -54,11 +54,11 @@ [PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored) -[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) -[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored) +[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored) +[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored) [WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [INFO] 1.3 Controller Manager -[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) +[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored) [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored) [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) @@ -171,8 +171,8 @@ on the master node and set the below parameter. == Summary == 44 checks PASS -13 checks FAIL -8 checks WARN +11 checks FAIL +10 checks WARN 0 checks INFO [INFO] 2 Etcd Node Configuration [INFO] 2 Etcd Node Configuration Files @@ -224,7 +224,7 @@ minimum. [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [INFO] 4.2 Kubelet -[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored) +[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored) [PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) [PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored) @@ -314,11 +314,11 @@ systemctl restart kubelet.service [WARN] 5.4.2 Consider external secret storage (Not Scored) [INFO] 5.5 Extensible Admission Control [WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored) -[INFO] 5.6 General Policies -[WARN] 5.6.1 Create administrative boundaries between resources using namespaces (Not Scored) -[WARN] 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) -[WARN] 5.6.3 Apply Security Context to Your Pods and Containers (Not Scored) -[WARN] 5.6.4 The default namespace should not be used (Scored) +[INFO] 5.7 General Policies +[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Not Scored) +[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) +[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Not Scored) +[WARN] 5.7.4 The default namespace should not be used (Scored) == Remediations == 5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and @@ -385,10 +385,10 @@ secrets management solution. 5.5.1 Follow the Kubernetes documentation and setup image provenance. -5.6.1 Follow the documentation and create namespaces for objects in your deployment as you need +5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need them. -5.6.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you +5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS @@ -409,11 +409,11 @@ spec: - name: trustworthy-container image: sotrustworthy:latest -5.6.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a +5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. -5.6.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes +5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.