arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-02-21 12:02:30 +00:00
Code Issues Releases Wiki Activity

Update all TCs in policies.yaml; fix command in rh-1.0 as well

Browse Source
This commit is contained in:
Deepanshu Bhatia 2024-09-02 16:33:11 +05:30 committed by Md Safiyat Reza
parent f8d3aae808
commit 2f50de2d0c
2 changed files with 102 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/rh-1.0/policies.yaml
View File

@ -13,7 +13,7 @@ groups:
type: "manual"
audit: |
#To get a list of users and service accounts with the cluster-admin role
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
grep cluster-admin
#To verity that kbueadmin is removed, no results should be returned
oc get secrets kubeadmin -n kube-system

142
cfg/rh-1.6/policies.yaml
View File

@ -13,8 +13,7 @@ groups:
type: "manual"
audit: |
#To get a list of users and service accounts with the cluster-admin role
oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
grep cluster-admin
oc get clusterrolebindings -o=custom-columns="NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind" | grep cluster-admin
#To verity that kbueadmin is removed, no results should be returned
oc get secrets kubeadmin -n kube-system
remediation: |
@ -22,7 +21,7 @@ groups:
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
oc delete clusterrolebinding [name]
scored: false
- id: 5.1.2
@ -36,14 +35,11 @@ groups:
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
audit: |
#needs verification
oc get roles --all-namespaces -o yaml
for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
describe clusterrole ${i}; done
#Retrieve the cluster roles defined in the cluster and review for wildcards
oc get clusterroles -o yaml
for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
oc describe clusterrole ${i}; done
# needs verification
# Run the command below to describe each cluster role and inspect it for wildcard usage
oc describe clusterrole
# Run the command below to describe each role and inspect it for wildcard usage
oc describe role -A
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
@ -52,6 +48,10 @@ groups:
- id: 5.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
audit: |
# needs verification
# Review the users who have create access to pod objects in the Kubernetes API
oc adm policy who-can create pod
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
@ -66,6 +66,12 @@ groups:
- id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
audit: |
# needs verification
# Find all pods that automatically mount service account tokens
oc get pods -A -o json | jq '.items[] | select(.spec.automountServiceAccountToken) | .metadata.name'
# Find all service accounts that automatically mount service tokens
oc get serviceaccounts -A -o json | jq '.items[] | select(.automountServiceAccountToken) | .metadata.name'
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
@ -83,8 +89,8 @@ groups:
test_items:
- flag: "false"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
Privileged field is set to false.
Create an SCC that sets allowPrivilegedContainer to false and take it into use by
assigning it to applicable users and groups.
scored: false
- id: 5.2.2
@ -95,8 +101,8 @@ groups:
test_items:
- flag: "false"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
PID field is set to false.
Create an SCC that sets allowHostPID to false and take it into use by assigning it to
applicable users and groups.
scored: false
- id: 5.2.3
@ -107,8 +113,8 @@ groups:
test_items:
- flag: "false"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
IPC field is set to false.
Create an SCC that sets allowHostIPC to false and take it into use by assigning it to
applicable users and groups.
scored: false
- id: 5.2.4
@ -119,8 +125,8 @@ groups:
test_items:
- flag: "false"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host
Network field is omitted or set to false.
Create an SCC that sets allowHostNetwork to false and take it into use by assigning
it to applicable users and groups.
scored: false
- id: 5.2.5
@ -131,14 +137,14 @@ groups:
test_items:
- flag: "false"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Allow
Privilege Escalation field is omitted or set to false.
Create an SCC that sets allowPrivilegeEscalation to false and take it into use by
assigning it to applicable users and groups.
scored: false
- id: 5.2.6
text: "Minimize the admission of root containers (Manual)"
audit: |
# needs verification # | awk 'NR>1 {gsub("map\\[type:", "", $2); gsub("\\]$", "", $2); print $1 ":" $2}'
# needs verification
oc get scc -o=custom-columns=NAME:.metadata.name,runAsUser:.runAsUser.type
#For SCCs with MustRunAs verify that the range of UIDs does not include 0
oc get scc -o=custom-columns=NAME:.metadata.name,uidRangeMin:.runAsUser.uidRangeMin,uidRangeMax:.runAsUser.uidRangeMax
@ -151,8 +157,8 @@ groups:
op: nothave
value: 0
remediation: |
None required. By default, OpenShift includes the non-root SCC with the the Run As User
Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the
None required. By default, OpenShift includes the nonroot and nonroot-v2 SCCs that
restrict the ability to run as nonroot. If additional SCCs are appropriate, follow the
OpenShift documentation to create custom SCCs.
scored: false
@ -167,27 +173,65 @@ groups:
- flag: "ALL"
- flag: "NET_RAW"
remediation: |
Create a SCC as described in the OpenShift documentation, ensuring that the Required
Drop Capabilities is set to include either NET_RAW or ALL.
Create an SCC that sets requiredDropCapabilities to include ALL or at least
NET_RAW and take it into use by assigning it to applicable users and groups.
scored: false
- id: 5.2.8
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
audit: |
# needs verification
# List all SCCs that prohibit users from defining container capabilities
oc get scc -A -o json | jq '.items[] | select(.allowedCapabilities==null) | .metadata.name'
# List all SCCs that do not set default container capabilities
oc get scc -A -o json | jq '.items[] | select(.defaultAddCapabilities==null) | .metadata.name'
tests:
test_items:
- flag: "false"
remediation: |
Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster
except for the privileged SCC.
Utilize the restricted-v2 SCC or create an SCC that sets allowedCapabilities and
defaultAddCapabilities to an empty list and take it into use by assigning it to
applicable users and groups.
scored: false
- id: 5.2.9
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
audit: |
# needs verification
# List all SCCs that drop all capabilities from containers
oc get scc -A -o json | jq '.items[] | select(.requiredDropCapabilities[]?|any(. == "ALL"; .)) | .metadata.name'
tests:
test_items:
- flag: "false"
remediation: |
Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider
Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabilities to operate, consider
adding a SCC which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 5.2.10
text: "Minimize access to privileged Security Context Constraints (Manual)"
type: "manual"
audit: |
# needs verification
# All users and groups with access to SCCs that include privileged or elevated capabilities.
oc get scc -ojson | jq '.items[]|select(.allowHostIPC or .allowHostPID or .allowHostPorts
or .allowHostNetwork or .allowHostDirVolumePlugin
or .allowPrivilegedContainer or .runAsUser.type != "MustRunAsRange") |
.metadata.name,{"Group:":.groups},{"User":.users}'
tests:
test_items:
- flag: "false"
remediation: |
Remove any users and groups who do not need access to an SCC, following the principle of least privilege.
You can remove users and groups from an SCC using the oc edit scc $NAME command.
Additionally, you can create your own SCCs that contain the container functionality you
need for a particular use case and assign that SCC to users and groups if the default
SCCs are not appropriate for your use case.
scored: false
- id: 5.3
text: "Network Policies and CNI"
checks:
@ -195,7 +239,7 @@ groups:
text: "Ensure that the CNI in use supports Network Policies (Manual)"
type: "manual"
remediation: |
None required.
None required. This will depend on the CNI plugin in use.
scored: false
- id: 5.3.2
@ -216,8 +260,7 @@ groups:
type: "manual"
audit: |
#Run the following command to find references to objects which use environment variables defined from secrets.
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
{.metadata.name} {"\n"}{end}' -A
oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
remediation: |
If possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
@ -237,8 +280,11 @@ groups:
- id: 5.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual"
audit: |
# needs verification
oc get image.config.openshift.io/cluster -o json | jq .spec.registrySources
remediation: |
Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.15/openshift_images/image-configuration.html
Follow the OpenShift documentation for Image Configuration resources: https://docs.openshift.com/container-platform/4.15/openshift_images/image-configuration.html
scored: false
- id: 5.7
@ -251,22 +297,34 @@ groups:
#Run the following command and review the namespaces created in the cluster.
oc get namespaces
#Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
oc get namespaces -o json | jq '.items[] | select(.metadata.name|test("(?!default|kube-.|openshift|openshift-.)^.*")) | .metadata.name'
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false
- id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
type: "manual"
audit: |
oc get pods -A -o json | jq '.items[] | select( (.metadata.namespace | test("^kube*|^openshift*") | not)
and .spec.securityContext.seccompProfile.type==null) |
(.metadata.namespace + "/" + .metadata.name)'
remediation: |
To enable the default seccomp profile, use the reserved value /runtime/default that will
make sure that the pod uses the default policy available on the host.
For any non-privileged pods or containers that do not have seccomp profiles, consider
using the RuntimeDefault or creating a custom seccomp profile specifically for the workload.
Please refer to the OpenShift documentation for working with custom seccomp profiles.
https://docs.openshift.com/container-platform/4.15/security/seccomp-profiles.html
scored: false
- id: 5.7.3
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
audit: |
# needs verification
# obtain a list of pods that are using privileged security context constraints
oc get pods -A -o json | jq '.items[] | select(.metadata.annotations."openshift.io/scc"|test("privileged"?)) | .metadata.name'
# obtain a list of pods that are not using security context constraints at all
oc get pods -A -o json | jq '.items[] | select(.metadata.annotations."openshift.io/scc" == null) | .metadata.name'
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
@ -277,9 +335,11 @@ groups:
text: "The default namespace should not be used (Manual)"
type: "manual"
audit: |
#Run this command to list objects in default namespace
oc project default
oc get all
# Run the following command to list all resources in the default namespace, besides the kubernetes and
# openshift services, which are expected to be in the default namespace
oc get all -n default -o json | jq '.items[] | select((.kind|test("Service"))
and (.metadata.name|test("openshift|kubernetes"))? | not) |
(.kind + "/" + .metadata.name)'
#The only entries there should be system managed resources such as the kubernetes and openshift service
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes