From 2f50de2d0c046668130fed5287a6663b915b350b Mon Sep 17 00:00:00 2001 From: Deepanshu Bhatia Date: Mon, 2 Sep 2024 16:33:11 +0530 Subject: [PATCH] Update all TCs in policies.yaml; fix command in rh-1.0 as well --- cfg/rh-1.0/policies.yaml | 2 +- cfg/rh-1.6/policies.yaml | 142 ++++++++++++++++++++++++++++----------- 2 files changed, 102 insertions(+), 42 deletions(-) diff --git a/cfg/rh-1.0/policies.yaml b/cfg/rh-1.0/policies.yaml index e90cd87..29653c8 100644 --- a/cfg/rh-1.0/policies.yaml +++ b/cfg/rh-1.0/policies.yaml @@ -13,7 +13,7 @@ groups: type: "manual" audit: | #To get a list of users and service accounts with the cluster-admin role - oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | + oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin #To verity that kbueadmin is removed, no results should be returned oc get secrets kubeadmin -n kube-system diff --git a/cfg/rh-1.6/policies.yaml b/cfg/rh-1.6/policies.yaml index fb39ca0..51e2b5d 100644 --- a/cfg/rh-1.6/policies.yaml +++ b/cfg/rh-1.6/policies.yaml @@ -13,8 +13,7 @@ groups: type: "manual" audit: | #To get a list of users and service accounts with the cluster-admin role - oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | - grep cluster-admin + oc get clusterrolebindings -o=custom-columns="NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind" | grep cluster-admin #To verity that kbueadmin is removed, no results should be returned oc get secrets kubeadmin -n kube-system remediation: | @@ -22,7 +21,7 @@ groups: if they need this role or if they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : - kubectl delete clusterrolebinding [name] + oc delete clusterrolebinding [name] scored: false - id: 5.1.2 @@ -36,14 +35,11 @@ groups: text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" type: "manual" audit: | - #needs verification - oc get roles --all-namespaces -o yaml - for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc - describe clusterrole ${i}; done - #Retrieve the cluster roles defined in the cluster and review for wildcards - oc get clusterroles -o yaml - for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do - oc describe clusterrole ${i}; done + # needs verification + # Run the command below to describe each cluster role and inspect it for wildcard usage + oc describe clusterrole + # Run the command below to describe each role and inspect it for wildcard usage + oc describe role -A remediation: | Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions. @@ -52,6 +48,10 @@ groups: - id: 5.1.4 text: "Minimize access to create pods (Manual)" type: "manual" + audit: | + # needs verification + # Review the users who have create access to pod objects in the Kubernetes API + oc adm policy who-can create pod remediation: | Where possible, remove create access to pod objects in the cluster. scored: false @@ -66,6 +66,12 @@ groups: - id: 5.1.6 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" type: "manual" + audit: | + # needs verification + # Find all pods that automatically mount service account tokens + oc get pods -A -o json | jq '.items[] | select(.spec.automountServiceAccountToken) | .metadata.name' + # Find all service accounts that automatically mount service tokens + oc get serviceaccounts -A -o json | jq '.items[] | select(.automountServiceAccountToken) | .metadata.name' remediation: | Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it. @@ -83,8 +89,8 @@ groups: test_items: - flag: "false" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Allow - Privileged field is set to false. + Create an SCC that sets allowPrivilegedContainer to false and take it into use by + assigning it to applicable users and groups. scored: false - id: 5.2.2 @@ -95,8 +101,8 @@ groups: test_items: - flag: "false" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host - PID field is set to false. + Create an SCC that sets allowHostPID to false and take it into use by assigning it to + applicable users and groups. scored: false - id: 5.2.3 @@ -107,8 +113,8 @@ groups: test_items: - flag: "false" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host - IPC field is set to false. + Create an SCC that sets allowHostIPC to false and take it into use by assigning it to + applicable users and groups. scored: false - id: 5.2.4 @@ -119,8 +125,8 @@ groups: test_items: - flag: "false" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host - Network field is omitted or set to false. + Create an SCC that sets allowHostNetwork to false and take it into use by assigning + it to applicable users and groups. scored: false - id: 5.2.5 @@ -131,14 +137,14 @@ groups: test_items: - flag: "false" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Allow - Privilege Escalation field is omitted or set to false. + Create an SCC that sets allowPrivilegeEscalation to false and take it into use by + assigning it to applicable users and groups. scored: false - id: 5.2.6 text: "Minimize the admission of root containers (Manual)" audit: | - # needs verification # | awk 'NR>1 {gsub("map\\[type:", "", $2); gsub("\\]$", "", $2); print $1 ":" $2}' + # needs verification oc get scc -o=custom-columns=NAME:.metadata.name,runAsUser:.runAsUser.type #For SCCs with MustRunAs verify that the range of UIDs does not include 0 oc get scc -o=custom-columns=NAME:.metadata.name,uidRangeMin:.runAsUser.uidRangeMin,uidRangeMax:.runAsUser.uidRangeMax @@ -151,8 +157,8 @@ groups: op: nothave value: 0 remediation: | - None required. By default, OpenShift includes the non-root SCC with the the Run As User - Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the + None required. By default, OpenShift includes the nonroot and nonroot-v2 SCCs that + restrict the ability to run as nonroot. If additional SCCs are appropriate, follow the OpenShift documentation to create custom SCCs. scored: false @@ -167,27 +173,65 @@ groups: - flag: "ALL" - flag: "NET_RAW" remediation: | - Create a SCC as described in the OpenShift documentation, ensuring that the Required - Drop Capabilities is set to include either NET_RAW or ALL. + Create an SCC that sets requiredDropCapabilities to include ALL or at least + NET_RAW and take it into use by assigning it to applicable users and groups. scored: false - id: 5.2.8 text: "Minimize the admission of containers with added capabilities (Manual)" type: "manual" + audit: | + # needs verification + # List all SCCs that prohibit users from defining container capabilities + oc get scc -A -o json | jq '.items[] | select(.allowedCapabilities==null) | .metadata.name' + # List all SCCs that do not set default container capabilities + oc get scc -A -o json | jq '.items[] | select(.defaultAddCapabilities==null) | .metadata.name' + tests: + test_items: + - flag: "false" remediation: | - Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster - except for the privileged SCC. + Utilize the restricted-v2 SCC or create an SCC that sets allowedCapabilities and + defaultAddCapabilities to an empty list and take it into use by assigning it to + applicable users and groups. scored: false - id: 5.2.9 text: "Minimize the admission of containers with capabilities assigned (Manual)" type: "manual" + audit: | + # needs verification + # List all SCCs that drop all capabilities from containers + oc get scc -A -o json | jq '.items[] | select(.requiredDropCapabilities[]?|any(. == "ALL"; .)) | .metadata.name' + tests: + test_items: + - flag: "false" remediation: | - Review the use of capabilites in applications running on your cluster. Where a namespace - contains applicaions which do not require any Linux capabities to operate consider + Review the use of capabilities in applications running on your cluster. Where a namespace + contains applications which do not require any Linux capabilities to operate, consider adding a SCC which forbids the admission of containers which do not drop all capabilities. scored: false + - id: 5.2.10 + text: "Minimize access to privileged Security Context Constraints (Manual)" + type: "manual" + audit: | + # needs verification + # All users and groups with access to SCCs that include privileged or elevated capabilities. + oc get scc -ojson | jq '.items[]|select(.allowHostIPC or .allowHostPID or .allowHostPorts + or .allowHostNetwork or .allowHostDirVolumePlugin + or .allowPrivilegedContainer or .runAsUser.type != "MustRunAsRange") | + .metadata.name,{"Group:":.groups},{"User":.users}' + tests: + test_items: + - flag: "false" + remediation: | + Remove any users and groups who do not need access to an SCC, following the principle of least privilege. + You can remove users and groups from an SCC using the oc edit scc $NAME command. + Additionally, you can create your own SCCs that contain the container functionality you + need for a particular use case and assign that SCC to users and groups if the default + SCCs are not appropriate for your use case. + scored: false + - id: 5.3 text: "Network Policies and CNI" checks: @@ -195,7 +239,7 @@ groups: text: "Ensure that the CNI in use supports Network Policies (Manual)" type: "manual" remediation: | - None required. + None required. This will depend on the CNI plugin in use. scored: false - id: 5.3.2 @@ -216,8 +260,7 @@ groups: type: "manual" audit: | #Run the following command to find references to objects which use environment variables defined from secrets. - oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} - {.metadata.name} {"\n"}{end}' -A + oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A remediation: | If possible, rewrite application code to read secrets from mounted secret files, rather than from environment variables. @@ -237,8 +280,11 @@ groups: - id: 5.5.1 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" type: "manual" + audit: | + # needs verification + oc get image.config.openshift.io/cluster -o json | jq .spec.registrySources remediation: | - Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.15/openshift_images/image-configuration.html + Follow the OpenShift documentation for Image Configuration resources: https://docs.openshift.com/container-platform/4.15/openshift_images/image-configuration.html scored: false - id: 5.7 @@ -251,22 +297,34 @@ groups: #Run the following command and review the namespaces created in the cluster. oc get namespaces #Ensure that these namespaces are the ones you need and are adequately administered as per your requirements. + oc get namespaces -o json | jq '.items[] | select(.metadata.name|test("(?!default|kube-.|openshift|openshift-.)^.*")) | .metadata.name' remediation: | - Follow the documentation and create namespaces for objects in your deployment as you need - them. + Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false - id: 5.7.2 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" type: "manual" + audit: | + oc get pods -A -o json | jq '.items[] | select( (.metadata.namespace | test("^kube*|^openshift*") | not) + and .spec.securityContext.seccompProfile.type==null) | + (.metadata.namespace + "/" + .metadata.name)' remediation: | - To enable the default seccomp profile, use the reserved value /runtime/default that will - make sure that the pod uses the default policy available on the host. + For any non-privileged pods or containers that do not have seccomp profiles, consider + using the RuntimeDefault or creating a custom seccomp profile specifically for the workload. + Please refer to the OpenShift documentation for working with custom seccomp profiles. + https://docs.openshift.com/container-platform/4.15/security/seccomp-profiles.html scored: false - id: 5.7.3 text: "Apply Security Context to Your Pods and Containers (Manual)" type: "manual" + audit: | + # needs verification + # obtain a list of pods that are using privileged security context constraints + oc get pods -A -o json | jq '.items[] | select(.metadata.annotations."openshift.io/scc"|test("privileged"?)) | .metadata.name' + # obtain a list of pods that are not using security context constraints at all + oc get pods -A -o json | jq '.items[] | select(.metadata.annotations."openshift.io/scc" == null) | .metadata.name' remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker @@ -277,9 +335,11 @@ groups: text: "The default namespace should not be used (Manual)" type: "manual" audit: | - #Run this command to list objects in default namespace - oc project default - oc get all + # Run the following command to list all resources in the default namespace, besides the kubernetes and + # openshift services, which are expected to be in the default namespace + oc get all -n default -o json | jq '.items[] | select((.kind|test("Service")) + and (.metadata.name|test("openshift|kubernetes"))? | not) | + (.kind + "/" + .metadata.name)' #The only entries there should be system managed resources such as the kubernetes and openshift service remediation: | Ensure that namespaces are created to allow for appropriate segregation of Kubernetes