mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-23 00:28:07 +00:00
* starts fixes #353 * new approach to minize duplications * applied merged yaml files for v1.11 and v1.13 * yaml files json/params merged * fixes to remove double quotes from numbers and booleans * fixed bug * fixed certificate check * removed -json files * changes based on PR review * Update check/check_test.go Yay more tests! Co-Authored-By: Liz Rice <liz@lizrice.com> * changes as PR review * fixed bug when scored check is missing tests * attempt to improve the code * fixed list breaks * removes handleError function * Update check/check.go Accepting suggested log level. Co-Authored-By: Liz Rice <liz@lizrice.com>
This commit is contained in:
parent
c22f81610d
commit
3aa41db166
@ -1,16 +0,0 @@
|
|||||||
---
|
|
||||||
# Config file for systems such as EKS where config is in JSON files
|
|
||||||
# Master nodes are controlled by EKS and not user-accessible
|
|
||||||
node:
|
|
||||||
kubernetes:
|
|
||||||
confs:
|
|
||||||
- "/var/lib/kubelet/kubeconfig"
|
|
||||||
kubeconfig:
|
|
||||||
- "/var/lib/kubelet/kubeconfig"
|
|
||||||
|
|
||||||
kubelet:
|
|
||||||
defaultsvc: "/etc/systemd/system/kubelet.service"
|
|
||||||
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
|
@ -1,523 +0,0 @@
|
|||||||
---
|
|
||||||
controls:
|
|
||||||
version: 1.11
|
|
||||||
id: 2
|
|
||||||
text: "Worker Node Security Configuration"
|
|
||||||
type: "node"
|
|
||||||
groups:
|
|
||||||
- id: 2.1
|
|
||||||
text: "Kubelet"
|
|
||||||
checks:
|
|
||||||
- id: 2.1.1
|
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
|
||||||
# This is one of those properties that can only be set as a command line argument.
|
|
||||||
# To check if the property is set as expected, we need to parse the kubelet command
|
|
||||||
# instead reading the Kubelet Configuration file.
|
|
||||||
audit: "ps -fC $kubeletbin"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "--allow-privileged"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: false
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--allow-privileged=false
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.2
|
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authentication.anonymous.enabled}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: false
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
|
||||||
false .
|
|
||||||
If using executable arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--anonymous-auth=false
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.3
|
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authorization.mode}"
|
|
||||||
compare:
|
|
||||||
op: noteq
|
|
||||||
value: "AlwaysAllow"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
|
||||||
If using executable arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
||||||
--authorization-mode=Webhook
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.4
|
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authentication.x509.clientCAFile}"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
|
||||||
the location of the client CA file.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
||||||
--client-ca-file=<path/to/client-ca-file>
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.5
|
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.readOnlyPort}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "0"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--read-only-port=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.6
|
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.streamingConnectionIdleTimeout}"
|
|
||||||
set: false
|
|
||||||
- path: "{.streamingConnectionIdleTimeout}"
|
|
||||||
compare:
|
|
||||||
op: noteq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
|
||||||
value other than 0.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--streaming-connection-idle-timeout=5m
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.7
|
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.protectKernelDefaults}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--protect-kernel-defaults=true
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.8
|
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.makeIPTablesUtilChains}"
|
|
||||||
set: false
|
|
||||||
- path: "{.makeIPTablesUtilChains}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
remove the --make-iptables-util-chains argument from the
|
|
||||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.9
|
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.hostnameOverride}"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and remove the --hostname-override argument from the
|
|
||||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.10
|
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.eventRecordQPS}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--event-qps=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.11
|
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: and
|
|
||||||
test_items:
|
|
||||||
- path: "{.tlsCertFile}"
|
|
||||||
set: true
|
|
||||||
- path: "{.tlsPrivateKeyFile}"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
|
||||||
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
|
||||||
corresponding private key file.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
--tls-cert-file=<path/to/tls-certificate-file>
|
|
||||||
file=<path/to/tls-key-file>
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.12
|
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.cadvisorPort}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
- path: "{.cadvisorPort}"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
|
||||||
--cadvisor-port=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.13
|
|
||||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.rotateCertificates}"
|
|
||||||
set: false
|
|
||||||
- path: "{.rotateCertificates}"
|
|
||||||
compare:
|
|
||||||
op: noteq
|
|
||||||
value: "false"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
|
||||||
If using command line arguments, edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.14
|
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.featureGates.RotateKubeletServerCertificate}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
--feature-gates=RotateKubeletServerCertificate=true
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.15
|
|
||||||
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.tlsCipherSuites}"
|
|
||||||
compare:
|
|
||||||
op: valid_elements
|
|
||||||
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
|
||||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
scored: false
|
|
||||||
|
|
||||||
- id: 2.2
|
|
||||||
text: "Configuration Files"
|
|
||||||
checks:
|
|
||||||
- id: 2.2.1
|
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
|
||||||
more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 644 $kubeletkubeconfig
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.2
|
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: root:root
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $kubeletkubeconfig
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.3
|
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
|
||||||
more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 644
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 755 $kubeletsvc
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.4
|
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $kubeletsvc
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.5
|
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 644 $proxykubeconfig
|
|
||||||
|
|
||||||
Note - This test reports "FAIL" if kube-proxy has been configured
|
|
||||||
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
|
|
||||||
as the kube-proxy does not expose the kubeconfig file to the worker node.
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.6
|
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $proxykubeconfig
|
|
||||||
|
|
||||||
Note - This test reports "FAIL" if kube-proxy has been configured
|
|
||||||
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
|
|
||||||
as the kube-proxy does not expose the kubeconfig file to the worker node.
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.7
|
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
|
||||||
644 or more restrictive (Scored)"
|
|
||||||
type: "manual"
|
|
||||||
remediation: |
|
|
||||||
[Manual test]
|
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
|
||||||
chmod 644 <filename>
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.8
|
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: root:root
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command to modify the ownership of the --client-ca-file .
|
|
||||||
chown root:root <filename>
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.9
|
|
||||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
|
||||||
chown root:root $kubeletconf
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.10
|
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
|
||||||
chmod 644 $kubeletconf
|
|
||||||
scored: true
|
|
@ -1,23 +1,23 @@
|
|||||||
---
|
---
|
||||||
controls:
|
controls:
|
||||||
version: 1.11
|
version: "1.11"
|
||||||
id: 2
|
id: "2"
|
||||||
text: "Worker Node Security Configuration"
|
text: Worker Node Security Configuration
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: "2.1"
|
||||||
text: "Kubelet"
|
text: Kubelet
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 2.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
text: Ensure that the --allow-privileged argument is set to false (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin "
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--allow-privileged"
|
- flag: --allow-privileged
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||||
@ -28,15 +28,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 2.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
text: Ensure that the --anonymous-auth argument is set to false (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: --anonymous-auth
|
||||||
|
path: '{.authentication.anonymous.enabled}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
||||||
false .
|
false .
|
||||||
@ -50,15 +52,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 2.1.3
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--authorization-mode"
|
- flag: --authorization-mode
|
||||||
|
path: '{.authorization.mode}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: nothave
|
op: nothave
|
||||||
value: "AlwaysAllow"
|
value: AlwaysAllow
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
||||||
If using executable arguments, edit the kubelet service file
|
If using executable arguments, edit the kubelet service file
|
||||||
@ -71,11 +75,13 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 2.1.4
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-ca-file"
|
- flag: --client-ca-file
|
||||||
|
path: '{.authentication.x509.clientCAFile}'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
||||||
@ -90,15 +96,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 2.1.5
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
text: Ensure that the --read-only-port argument is set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--read-only-port"
|
- flag: --read-only-port
|
||||||
|
path: '{.readOnlyPort}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -111,18 +119,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 2.1.6
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--streaming-connection-idle-timeout"
|
- flag: --streaming-connection-idle-timeout
|
||||||
|
path: '{.streamingConnectionIdleTimeout}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
- flag: --streaming-connection-idle-timeout
|
||||||
- flag: "--streaming-connection-idle-timeout"
|
path: '{.streamingConnectionIdleTimeout}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
||||||
value other than 0.
|
value other than 0.
|
||||||
@ -136,15 +147,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 2.1.7
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--protect-kernel-defaults"
|
- flag: --protect-kernel-defaults
|
||||||
|
path: '{.protectKernelDefaults}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -157,18 +170,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 2.1.8
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--make-iptables-util-chains"
|
- flag: --make-iptables-util-chains
|
||||||
|
path: '{.makeIPTablesUtilChains}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
- flag: --make-iptables-util-chains
|
||||||
- flag: "--make-iptables-util-chains"
|
path: '{.makeIPTablesUtilChains}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -181,11 +197,13 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.9
|
- id: 2.1.9
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
text: Ensure that the --hostname-override argument is not set (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--hostname-override"
|
- flag: --hostname-override
|
||||||
|
path: '{.hostnameOverride}'
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
@ -197,15 +215,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 2.1.10
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
text: Ensure that the --event-qps argument is set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--event-qps"
|
- flag: --event-qps
|
||||||
|
path: '{.eventRecordQPS}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -218,15 +238,18 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--tls-cert-file"
|
- flag: --tls-cert-file
|
||||||
|
path: '{.tlsCertFile}'
|
||||||
set: true
|
set: true
|
||||||
- flag: "--tls-private-key-file"
|
- flag: --tls-private-key-file
|
||||||
|
path: '{.tlsPrivateKeyFile}'
|
||||||
set: true
|
set: true
|
||||||
|
bin_op: and
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
||||||
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
||||||
@ -242,18 +265,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
text: Ensure that the --cadvisor-port argument is set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--cadvisor-port"
|
- flag: --cadvisor-port
|
||||||
|
path: '{.cadvisorPort}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
- flag: --cadvisor-port
|
||||||
- flag: "--cadvisor-port"
|
path: '{.cadvisorPort}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
||||||
@ -264,18 +290,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 2.1.13
|
||||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
text: Ensure that the --rotate-certificates argument is not set to false (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--rotate-certificates"
|
- flag: --rotate-certificates
|
||||||
|
path: '{.rotateCertificates}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
- flag: --rotate-certificates
|
||||||
- flag: "--rotate-certificates"
|
path: '{.rotateCertificates}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
||||||
If using command line arguments, edit the kubelet service file $kubeletsvc
|
If using command line arguments, edit the kubelet service file $kubeletsvc
|
||||||
@ -286,15 +315,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.14
|
- id: 2.1.14
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "RotateKubeletServerCertificate"
|
- flag: RotateKubeletServerCertificate
|
||||||
|
path: '{.featureGates.RotateKubeletServerCertificate}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
||||||
@ -305,208 +336,206 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.15
|
- id: 2.1.15
|
||||||
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--tls-cipher-suites"
|
- flag: --tls-cipher-suites
|
||||||
|
path: '{.tlsCipherSuites}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: valid_elements
|
op: valid_elements
|
||||||
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
||||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 2.2
|
- id: "2.2"
|
||||||
text: "Configuration Files"
|
text: Configuration Files
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
more restrictive (Scored)"
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
tests:
|
||||||
tests:
|
test_items:
|
||||||
bin_op: or
|
- flag: "644"
|
||||||
test_items:
|
set: true
|
||||||
- flag: "644"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "644"
|
||||||
value: "644"
|
- flag: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "640"
|
||||||
value: "640"
|
- flag: "600"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "600"
|
||||||
value: "600"
|
bin_op: or
|
||||||
set: true
|
remediation: |
|
||||||
remediation: |
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
node. For example,
|
||||||
node. For example,
|
chmod 644 $kubeletkubeconfig
|
||||||
chmod 644 $kubeletkubeconfig
|
scored: true
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
compare:
|
set: true
|
||||||
op: eq
|
compare:
|
||||||
value: root:root
|
op: eq
|
||||||
set: true
|
value: root:root
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletkubeconfig
|
chown root:root $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||||
more restrictive (Scored)"
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
tests:
|
||||||
tests:
|
test_items:
|
||||||
bin_op: or
|
- flag: "644"
|
||||||
test_items:
|
set: true
|
||||||
- flag: "644"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "644"
|
||||||
value: 644
|
- flag: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "640"
|
||||||
value: "640"
|
- flag: "600"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "600"
|
||||||
value: "600"
|
bin_op: or
|
||||||
set: true
|
remediation: |
|
||||||
remediation: |
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
node. For example,
|
||||||
node. For example,
|
chmod 755 $kubeletsvc
|
||||||
chmod 755 $kubeletsvc
|
scored: true
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletsvc
|
chown root:root $kubeletsvc
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
test_items:
|
||||||
test_items:
|
- flag: "644"
|
||||||
- flag: "644"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
- flag: "640"
|
||||||
- flag: "640"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
- flag: "600"
|
||||||
- flag: "600"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $proxykubeconfig
|
chmod 644 $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
text: Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $proxykubeconfig
|
chown root:root $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||||
644 or more restrictive (Scored)"
|
type: manual
|
||||||
type: "manual"
|
remediation: |
|
||||||
remediation: |
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
[Manual test]
|
chmod 644 <filename>
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
scored: true
|
||||||
chmod 644 <filename>
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.8
|
- id: 2.2.8
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
compare:
|
set: true
|
||||||
op: eq
|
compare:
|
||||||
value: root:root
|
op: eq
|
||||||
set: true
|
value: root:root
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command to modify the ownership of the --client-ca-file .
|
Run the following command to modify the ownership of the --client-ca-file .
|
||||||
chown root:root <filename>
|
chown root:root <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.9
|
- id: 2.2.9
|
||||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chown root:root $kubeletconf
|
chown root:root $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.10
|
- id: 2.2.10
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
test_items:
|
||||||
test_items:
|
- flag: "644"
|
||||||
- flag: "644"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
- flag: "640"
|
||||||
- flag: "640"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
- flag: "600"
|
||||||
- flag: "600"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -1,16 +0,0 @@
|
|||||||
---
|
|
||||||
# Config file for systems such as EKS where config is in JSON files
|
|
||||||
# Master nodes are controlled by EKS and not user-accessible
|
|
||||||
node:
|
|
||||||
kubernetes:
|
|
||||||
confs:
|
|
||||||
- "/var/lib/kubelet/kubeconfig"
|
|
||||||
kubeconfig:
|
|
||||||
- "/var/lib/kubelet/kubeconfig"
|
|
||||||
|
|
||||||
kubelet:
|
|
||||||
defaultsvc: "/etc/systemd/system/kubelet.service"
|
|
||||||
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
|
||||||
|
|
||||||
proxy:
|
|
||||||
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
|
|
@ -1,505 +0,0 @@
|
|||||||
---
|
|
||||||
controls:
|
|
||||||
version: 1.13
|
|
||||||
id: 2
|
|
||||||
text: "Worker Node Security Configuration"
|
|
||||||
type: "node"
|
|
||||||
groups:
|
|
||||||
- id: 2.1
|
|
||||||
text: "Kubelet"
|
|
||||||
checks:
|
|
||||||
- id: 2.1.1
|
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authentication.anonymous.enabled}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: false
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
|
||||||
false .
|
|
||||||
If using executable arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--anonymous-auth=false
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.2
|
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authorization.mode}"
|
|
||||||
compare:
|
|
||||||
op: nothave
|
|
||||||
value: "AlwaysAllow"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
|
||||||
If using executable arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
||||||
--authorization-mode=Webhook
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.3
|
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.authentication.x509.clientCAFile}"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
|
||||||
the location of the client CA file.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
||||||
--client-ca-file=<path/to/client-ca-file>
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.4
|
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.readOnlyPort}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--read-only-port=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.5
|
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.streamingConnectionIdleTimeout}"
|
|
||||||
compare:
|
|
||||||
op: noteq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
- path: "{.streamingConnectionIdleTimeout}"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
|
||||||
value other than 0.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--streaming-connection-idle-timeout=5m
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.6
|
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.protectKernelDefaults}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--protect-kernel-defaults=true
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.7
|
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- path: "{.makeIPTablesUtilChains}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
- path: "{.makeIPTablesUtilChains}"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
remove the --make-iptables-util-chains argument from the
|
|
||||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.8
|
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
|
||||||
# This is one of those properties that can only be set as a command line argument.
|
|
||||||
# To check if the property is set as expected, we need to parse the kubelet command
|
|
||||||
# instead reading the Kubelet Configuration file.
|
|
||||||
audit: "ps -fC $kubeletbin"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "--hostname-override"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and remove the --hostname-override argument from the
|
|
||||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.9
|
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.eventRecordQPS}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
||||||
--event-qps=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.10
|
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
bin_op: and
|
|
||||||
test_items:
|
|
||||||
- path: "{.tlsCertFile}"
|
|
||||||
set: true
|
|
||||||
- path: "{.tlsPrivateKeyFile}"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
|
||||||
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
|
||||||
corresponding private key file.
|
|
||||||
If using command line arguments, edit the kubelet service file
|
|
||||||
$kubeletsvc on each worker node and
|
|
||||||
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
--tls-cert-file=<path/to/tls-certificate-file>
|
|
||||||
file=<path/to/tls-key-file>
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.11
|
|
||||||
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0"
|
|
||||||
# This is one of those properties that can only be set as a command line argument.
|
|
||||||
# To check if the property is set as expected, we need to parse the kubelet command
|
|
||||||
# instead reading the Kubelet Configuration file.
|
|
||||||
audit: "ps -fC $kubeletbin"
|
|
||||||
type: "skip"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "--cadvisor-port"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 0
|
|
||||||
set: true
|
|
||||||
- flag: "--cadvisor-port"
|
|
||||||
set: false
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
|
||||||
--cadvisor-port=0
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: false
|
|
||||||
|
|
||||||
- id: 2.1.12
|
|
||||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.rotateCertificates}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
|
||||||
If using command line arguments, edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.13
|
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{.featureGates.RotateKubeletServerCertificate}"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: true
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Edit the kubelet service file $kubeletsvc
|
|
||||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
|
||||||
--feature-gates=RotateKubeletServerCertificate=true
|
|
||||||
Based on your system, restart the kubelet service. For example:
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet.service
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.14
|
|
||||||
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
|
||||||
audit: "cat $kubeletconf"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- path: "{range .tlsCipherSuites[:]}{}{','}{end}"
|
|
||||||
compare:
|
|
||||||
op: valid_elements
|
|
||||||
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
|
||||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
||||||
scored: false
|
|
||||||
|
|
||||||
- id: 2.2
|
|
||||||
text: "Configuration Files"
|
|
||||||
checks:
|
|
||||||
- id: 2.2.1
|
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
|
||||||
more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 644 $kubeletkubeconfig
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.2
|
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: root:root
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $kubeletkubeconfig
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.3
|
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
|
||||||
more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: 644
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 755 $kubeletsvc
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.4
|
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $kubeletsvc
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.5
|
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chmod 644 $proxykubeconfig
|
|
||||||
|
|
||||||
Note - This test reports "FAIL" if kube-proxy has been configured
|
|
||||||
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
|
|
||||||
as the kube-proxy does not expose the kubeconfig file to the worker node.
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.6
|
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
|
||||||
node. For example,
|
|
||||||
chown root:root $proxykubeconfig
|
|
||||||
|
|
||||||
Note - This test reports "FAIL" if kube-proxy has been configured
|
|
||||||
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
|
|
||||||
as the kube-proxy does not expose the kubeconfig file to the worker node.
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.7
|
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
|
||||||
644 or more restrictive (Scored)"
|
|
||||||
type: "manual"
|
|
||||||
remediation: |
|
|
||||||
[Manual test]
|
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
|
||||||
chmod 644 <filename>
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.8
|
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: root:root
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command to modify the ownership of the --client-ca-file .
|
|
||||||
chown root:root <filename>
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.9
|
|
||||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "root:root"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
|
||||||
chown root:root $kubeletconf
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.10
|
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
|
||||||
tests:
|
|
||||||
bin_op: or
|
|
||||||
test_items:
|
|
||||||
- flag: "644"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "644"
|
|
||||||
set: true
|
|
||||||
- flag: "640"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "640"
|
|
||||||
set: true
|
|
||||||
- flag: "600"
|
|
||||||
compare:
|
|
||||||
op: eq
|
|
||||||
value: "600"
|
|
||||||
set: true
|
|
||||||
remediation: |
|
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
|
||||||
chmod 644 $kubeletconf
|
|
||||||
scored: true
|
|
@ -1,23 +1,25 @@
|
|||||||
---
|
---
|
||||||
controls:
|
controls:
|
||||||
version: 1.13
|
version: "1.13"
|
||||||
id: 2
|
id: "2"
|
||||||
text: "Worker Node Security Configuration"
|
text: Worker Node Security Configuration
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: "2.1"
|
||||||
text: "Kubelet"
|
text: Kubelet
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 2.1.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
text: Ensure that the --anonymous-auth argument is set to false (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: "--anonymous-auth"
|
||||||
|
path: '{.authentication.anonymous.enabled}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: false
|
value: false
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
|
||||||
false .
|
false .
|
||||||
@ -31,15 +33,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 2.1.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--authorization-mode"
|
- flag: --authorization-mode
|
||||||
|
path: '{.authorization.mode}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: nothave
|
op: nothave
|
||||||
value: "AlwaysAllow"
|
value: AlwaysAllow
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
|
||||||
If using executable arguments, edit the kubelet service file
|
If using executable arguments, edit the kubelet service file
|
||||||
@ -52,11 +56,13 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 2.1.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--client-ca-file"
|
- flag: --client-ca-file
|
||||||
|
path: '{.authentication.x509.clientCAFile}'
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
|
||||||
@ -71,15 +77,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 2.1.4
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
text: Ensure that the --read-only-port argument is set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--read-only-port"
|
- flag: "--read-only-port"
|
||||||
|
path: '{.readOnlyPort}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -92,18 +100,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 2.1.5
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--streaming-connection-idle-timeout"
|
- flag: --streaming-connection-idle-timeout
|
||||||
|
path: '{.streamingConnectionIdleTimeout}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: noteq
|
op: noteq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
- flag: --streaming-connection-idle-timeout
|
||||||
- flag: "--streaming-connection-idle-timeout"
|
path: '{.streamingConnectionIdleTimeout}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
|
||||||
value other than 0.
|
value other than 0.
|
||||||
@ -117,15 +128,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 2.1.6
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--protect-kernel-defaults"
|
- flag: --protect-kernel-defaults
|
||||||
|
path: '{.protectKernelDefaults}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -138,18 +151,21 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 2.1.7
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--make-iptables-util-chains"
|
- flag: --make-iptables-util-chains
|
||||||
|
path: '{.makeIPTablesUtilChains}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
- flag: --make-iptables-util-chains
|
||||||
- flag: "--make-iptables-util-chains"
|
path: '{.makeIPTablesUtilChains}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -162,11 +178,14 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 2.1.8
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
text: Ensure that the --hostname-override argument is not set (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
# This is one of those properties that can only be set as a command line argument.
|
||||||
|
# To check if the property is set as expected, we need to parse the kubelet command
|
||||||
|
# instead reading the Kubelet Configuration file.
|
||||||
|
audit: "ps -fC $kubeletbin "
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--hostname-override"
|
- flag: --hostname-override
|
||||||
set: false
|
set: false
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
@ -178,15 +197,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.9
|
- id: 2.1.9
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
text: Ensure that the --event-qps argument is set to 0 (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--event-qps"
|
- flag: --event-qps
|
||||||
|
path: '{.eventRecordQPS}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
|
||||||
If using command line arguments, edit the kubelet service file
|
If using command line arguments, edit the kubelet service file
|
||||||
@ -199,15 +220,18 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 2.1.10
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--tls-cert-file"
|
- flag: --tls-cert-file
|
||||||
|
path: '{.tlsCertFile}'
|
||||||
set: true
|
set: true
|
||||||
- flag: "--tls-private-key-file"
|
- flag: --tls-private-key-file
|
||||||
|
path: '{.tlsPrivateKeyFile}'
|
||||||
set: true
|
set: true
|
||||||
|
bin_op: and
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
|
||||||
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
|
||||||
@ -223,19 +247,22 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
|
text: '[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0'
|
||||||
audit: "ps -fC $kubeletbin"
|
# This is one of those properties that can only be set as a command line argument.
|
||||||
type: "skip"
|
# To check if the property is set as expected, we need to parse the kubelet command
|
||||||
|
# instead reading the Kubelet Configuration file.
|
||||||
|
audit: "ps -fC $kubeletbin "
|
||||||
|
type: skip
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--cadvisor-port"
|
- flag: --cadvisor-port
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
- flag: --cadvisor-port
|
||||||
- flag: "--cadvisor-port"
|
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
||||||
@ -246,18 +273,21 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
text: Ensure that the --rotate-certificates argument is not set to false (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--rotate-certificates"
|
- flag: --rotate-certificates
|
||||||
|
path: '{.rotateCertificates}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
- flag: --rotate-certificates
|
||||||
- flag: "--rotate-certificates"
|
path: '{.rotateCertificates}'
|
||||||
set: false
|
set: false
|
||||||
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
|
||||||
If using command line arguments, edit the kubelet service file $kubeletsvc
|
If using command line arguments, edit the kubelet service file $kubeletsvc
|
||||||
@ -268,15 +298,17 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 2.1.13
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "RotateKubeletServerCertificate"
|
- flag: RotateKubeletServerCertificate
|
||||||
|
path: '{.featureGates.RotateKubeletServerCertificate}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: true
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the kubelet service file $kubeletsvc
|
Edit the kubelet service file $kubeletsvc
|
||||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
||||||
@ -287,208 +319,207 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.14
|
- id: 2.1.14
|
||||||
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
|
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
audit_config: "cat $kubeletconf"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--tls-cipher-suites"
|
- flag: --tls-cipher-suites
|
||||||
|
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
|
||||||
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: valid_elements
|
op: valid_elements
|
||||||
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
|
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
set: true
|
|
||||||
remediation: |
|
remediation: |
|
||||||
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
|
||||||
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 2.2
|
- id: "2.2"
|
||||||
text: "Configuration Files"
|
text: Configuration Files
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||||
more restrictive (Scored)"
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
tests:
|
||||||
tests:
|
test_items:
|
||||||
bin_op: or
|
- flag: "644"
|
||||||
test_items:
|
set: true
|
||||||
- flag: "644"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "644"
|
||||||
value: "644"
|
- flag: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "640"
|
||||||
value: "640"
|
- flag: "600"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "600"
|
||||||
value: "600"
|
bin_op: or
|
||||||
set: true
|
remediation: |
|
||||||
remediation: |
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
node. For example,
|
||||||
node. For example,
|
chmod 644 $kubeletkubeconfig
|
||||||
chmod 644 $kubeletkubeconfig
|
scored: true
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
compare:
|
set: true
|
||||||
op: eq
|
compare:
|
||||||
value: root:root
|
op: eq
|
||||||
set: true
|
value: root:root
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletkubeconfig
|
chown root:root $kubeletkubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||||
more restrictive (Scored)"
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
tests:
|
||||||
tests:
|
test_items:
|
||||||
bin_op: or
|
- flag: "644"
|
||||||
test_items:
|
set: true
|
||||||
- flag: "644"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "644"
|
||||||
value: 644
|
- flag: "640"
|
||||||
set: true
|
set: true
|
||||||
- flag: "640"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "640"
|
||||||
value: "640"
|
- flag: "600"
|
||||||
set: true
|
set: true
|
||||||
- flag: "600"
|
compare:
|
||||||
compare:
|
op: eq
|
||||||
op: eq
|
value: "600"
|
||||||
value: "600"
|
bin_op: or
|
||||||
set: true
|
remediation: |
|
||||||
remediation: |
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
node. For example,
|
||||||
node. For example,
|
chmod 755 $kubeletsvc
|
||||||
chmod 755 $kubeletsvc
|
scored: true
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $kubeletsvc
|
chown root:root $kubeletsvc
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
test_items:
|
||||||
test_items:
|
- flag: "644"
|
||||||
- flag: "644"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
- flag: "640"
|
||||||
- flag: "640"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
- flag: "600"
|
||||||
- flag: "600"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chmod 644 $proxykubeconfig
|
chmod 644 $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
text: Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the below command (based on the file location on your system) on the each worker
|
Run the below command (based on the file location on your system) on the each worker
|
||||||
node. For example,
|
node. For example,
|
||||||
chown root:root $proxykubeconfig
|
chown root:root $proxykubeconfig
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||||
644 or more restrictive (Scored)"
|
type: manual
|
||||||
type: "manual"
|
tests: {}
|
||||||
remediation: |
|
remediation: |
|
||||||
[Manual test]
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
chmod 644 <filename>
|
||||||
chmod 644 <filename>
|
scored: true
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.2.8
|
- id: 2.2.8
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
compare:
|
set: true
|
||||||
op: eq
|
compare:
|
||||||
value: root:root
|
op: eq
|
||||||
set: true
|
value: root:root
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command to modify the ownership of the --client-ca-file .
|
Run the following command to modify the ownership of the --client-ca-file .
|
||||||
chown root:root <filename>
|
chown root:root <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.9
|
- id: 2.2.9
|
||||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
text: Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "root:root"
|
- flag: root:root
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chown root:root $kubeletconf
|
chown root:root $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.10
|
- id: 2.2.10
|
||||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
test_items:
|
||||||
test_items:
|
- flag: "644"
|
||||||
- flag: "644"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
- flag: "640"
|
||||||
- flag: "640"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "640"
|
value: "640"
|
||||||
set: true
|
- flag: "600"
|
||||||
- flag: "600"
|
set: true
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
bin_op: or
|
||||||
remediation: |
|
remediation: |
|
||||||
Run the following command (using the config file location identied in the Audit step)
|
Run the following command (using the config file location identied in the Audit step)
|
||||||
chmod 644 $kubeletconf
|
chmod 644 $kubeletconf
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -102,6 +102,7 @@ node:
|
|||||||
- "/etc/kubernetes/kubelet/kubelet-config.json"
|
- "/etc/kubernetes/kubelet/kubelet-config.json"
|
||||||
- "/home/kubernetes/kubelet-config.yaml"
|
- "/home/kubernetes/kubelet-config.yaml"
|
||||||
- "/etc/default/kubelet"
|
- "/etc/default/kubelet"
|
||||||
|
- "/var/lib/kubelet/kubeconfig"
|
||||||
## Due to the fact that the kubelet might be configured
|
## Due to the fact that the kubelet might be configured
|
||||||
## without a kubelet-config file, we use a work-around
|
## without a kubelet-config file, we use a work-around
|
||||||
## of pointing to the systemd service file (which can also
|
## of pointing to the systemd service file (which can also
|
||||||
|
251
check/check.go
251
check/check.go
@ -46,14 +46,12 @@ const (
|
|||||||
MASTER NodeType = "master"
|
MASTER NodeType = "master"
|
||||||
// NODE a node
|
// NODE a node
|
||||||
NODE NodeType = "node"
|
NODE NodeType = "node"
|
||||||
)
|
// FEDERATED a federated deployment.
|
||||||
|
FEDERATED NodeType = "federated"
|
||||||
|
|
||||||
func handleError(err error, context string) (errmsg string) {
|
// MANUAL Check Type
|
||||||
if err != nil {
|
MANUAL string = "manual"
|
||||||
errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
|
)
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check contains information about a recommendation in the
|
// Check contains information about a recommendation in the
|
||||||
// CIS Kubernetes 1.6+ document.
|
// CIS Kubernetes 1.6+ document.
|
||||||
@ -61,8 +59,10 @@ type Check struct {
|
|||||||
ID string `yaml:"id" json:"test_number"`
|
ID string `yaml:"id" json:"test_number"`
|
||||||
Text string `json:"test_desc"`
|
Text string `json:"test_desc"`
|
||||||
Audit string `json:"audit"`
|
Audit string `json:"audit"`
|
||||||
|
AuditConfig string `yaml:"audit_config"`
|
||||||
Type string `json:"type"`
|
Type string `json:"type"`
|
||||||
Commands []*exec.Cmd `json:"omit"`
|
Commands []*exec.Cmd `json:"omit"`
|
||||||
|
ConfigCommands []*exec.Cmd `json:"omit"`
|
||||||
Tests *tests `json:"omit"`
|
Tests *tests `json:"omit"`
|
||||||
Set bool `json:"omit"`
|
Set bool `json:"omit"`
|
||||||
Remediation string `json:"remediation"`
|
Remediation string `json:"remediation"`
|
||||||
@ -94,6 +94,14 @@ func (r *defaultRunner) Run(c *Check) State {
|
|||||||
// the results.
|
// the results.
|
||||||
func (c *Check) run() State {
|
func (c *Check) run() State {
|
||||||
|
|
||||||
|
// Since this is an Scored check
|
||||||
|
// without tests return a 'WARN' to alert
|
||||||
|
// the user that this check needs attention
|
||||||
|
if c.Scored && len(strings.TrimSpace(c.Type)) == 0 && c.Tests == nil {
|
||||||
|
c.State = WARN
|
||||||
|
return c.State
|
||||||
|
}
|
||||||
|
|
||||||
// If check type is skip, force result to INFO
|
// If check type is skip, force result to INFO
|
||||||
if c.Type == "skip" {
|
if c.Type == "skip" {
|
||||||
c.State = INFO
|
c.State = INFO
|
||||||
@ -101,109 +109,72 @@ func (c *Check) run() State {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// If check type is manual force result to WARN
|
// If check type is manual force result to WARN
|
||||||
if c.Type == "manual" {
|
if c.Type == MANUAL {
|
||||||
c.State = WARN
|
c.State = WARN
|
||||||
return c.State
|
return c.State
|
||||||
}
|
}
|
||||||
|
|
||||||
var out bytes.Buffer
|
lastCommand := c.Audit
|
||||||
var errmsgs string
|
hasAuditConfig := c.ConfigCommands != nil
|
||||||
|
|
||||||
// Check if command exists or exit with WARN.
|
state, finalOutput, retErrmsgs := performTest(c.Audit, c.Commands, c.Tests)
|
||||||
for _, cmd := range c.Commands {
|
if len(state) > 0 {
|
||||||
if !isShellCommand(cmd.Path) {
|
c.State = state
|
||||||
c.State = WARN
|
return c.State
|
||||||
|
}
|
||||||
|
errmsgs := retErrmsgs
|
||||||
|
|
||||||
|
// If something went wrong with the 'Audit' command
|
||||||
|
// and an 'AuditConfig' command was provided, use it to
|
||||||
|
// execute tests
|
||||||
|
if (finalOutput == nil || !finalOutput.testResult) && hasAuditConfig {
|
||||||
|
lastCommand = c.AuditConfig
|
||||||
|
|
||||||
|
nItems := len(c.Tests.TestItems)
|
||||||
|
// The reason we're creating a copy of the "tests"
|
||||||
|
// is so that tests can executed
|
||||||
|
// with the AuditConfig command
|
||||||
|
// against the Path only
|
||||||
|
currentTests := &tests{
|
||||||
|
BinOp: c.Tests.BinOp,
|
||||||
|
TestItems: make([]*testItem, nItems),
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := 0; i < nItems; i++ {
|
||||||
|
ti := c.Tests.TestItems[i]
|
||||||
|
nti := &testItem{
|
||||||
|
// Path is used to test Command Param values
|
||||||
|
// AuditConfig ==> Path
|
||||||
|
Path: ti.Path,
|
||||||
|
Set: ti.Set,
|
||||||
|
Compare: ti.Compare,
|
||||||
|
}
|
||||||
|
currentTests.TestItems[i] = nti
|
||||||
|
}
|
||||||
|
|
||||||
|
state, finalOutput, retErrmsgs = performTest(c.AuditConfig, c.ConfigCommands, currentTests)
|
||||||
|
if len(state) > 0 {
|
||||||
|
c.State = state
|
||||||
return c.State
|
return c.State
|
||||||
}
|
}
|
||||||
|
errmsgs += retErrmsgs
|
||||||
}
|
}
|
||||||
|
|
||||||
// Run commands.
|
if finalOutput != nil && finalOutput.testResult {
|
||||||
n := len(c.Commands)
|
c.State = PASS
|
||||||
if n == 0 {
|
|
||||||
// Likely a warning message.
|
|
||||||
c.State = WARN
|
|
||||||
return c.State
|
|
||||||
}
|
|
||||||
|
|
||||||
// Each command runs,
|
|
||||||
// cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
|
|
||||||
// cmd0 err should terminate chain
|
|
||||||
cs := c.Commands
|
|
||||||
|
|
||||||
// Initialize command pipeline
|
|
||||||
cs[n-1].Stdout = &out
|
|
||||||
i := 1
|
|
||||||
|
|
||||||
var err error
|
|
||||||
errmsgs = ""
|
|
||||||
|
|
||||||
for i < n {
|
|
||||||
cs[i-1].Stdout, err = cs[i].StdinPipe()
|
|
||||||
errmsgs += handleError(
|
|
||||||
err,
|
|
||||||
fmt.Sprintf("failed to run: %s\nfailed command: %s",
|
|
||||||
c.Audit,
|
|
||||||
cs[i].Args,
|
|
||||||
),
|
|
||||||
)
|
|
||||||
i++
|
|
||||||
}
|
|
||||||
|
|
||||||
// Start command pipeline
|
|
||||||
i = 0
|
|
||||||
for i < n {
|
|
||||||
err := cs[i].Start()
|
|
||||||
errmsgs += handleError(
|
|
||||||
err,
|
|
||||||
fmt.Sprintf("failed to run: %s\nfailed command: %s",
|
|
||||||
c.Audit,
|
|
||||||
cs[i].Args,
|
|
||||||
),
|
|
||||||
)
|
|
||||||
i++
|
|
||||||
}
|
|
||||||
|
|
||||||
// Complete command pipeline
|
|
||||||
i = 0
|
|
||||||
for i < n {
|
|
||||||
err := cs[i].Wait()
|
|
||||||
errmsgs += handleError(
|
|
||||||
err,
|
|
||||||
fmt.Sprintf("failed to run: %s\nfailed command:%s",
|
|
||||||
c.Audit,
|
|
||||||
cs[i].Args,
|
|
||||||
),
|
|
||||||
)
|
|
||||||
|
|
||||||
if i < n-1 {
|
|
||||||
cs[i].Stdout.(io.Closer).Close()
|
|
||||||
}
|
|
||||||
|
|
||||||
i++
|
|
||||||
}
|
|
||||||
|
|
||||||
glog.V(3).Info(out.String())
|
|
||||||
|
|
||||||
finalOutput := c.Tests.execute(out.String())
|
|
||||||
if finalOutput != nil {
|
|
||||||
c.ActualValue = finalOutput.actualResult
|
c.ActualValue = finalOutput.actualResult
|
||||||
c.ExpectedResult = finalOutput.ExpectedResult
|
c.ExpectedResult = finalOutput.ExpectedResult
|
||||||
if finalOutput.testResult {
|
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t Score: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State)
|
||||||
c.State = PASS
|
|
||||||
} else {
|
|
||||||
if c.Scored {
|
|
||||||
c.State = FAIL
|
|
||||||
} else {
|
|
||||||
c.State = WARN
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
errmsgs += handleError(
|
if c.Scored {
|
||||||
fmt.Errorf("final output is nil"),
|
c.State = FAIL
|
||||||
fmt.Sprintf("failed to run: %s\n",
|
} else {
|
||||||
c.Audit,
|
c.State = WARN
|
||||||
),
|
}
|
||||||
)
|
}
|
||||||
|
|
||||||
|
if finalOutput == nil {
|
||||||
|
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand)
|
||||||
}
|
}
|
||||||
|
|
||||||
if errmsgs != "" {
|
if errmsgs != "" {
|
||||||
@ -216,6 +187,7 @@ func (c *Check) run() State {
|
|||||||
// run into a slice of commands.
|
// run into a slice of commands.
|
||||||
// TODO: Make this more robust.
|
// TODO: Make this more robust.
|
||||||
func textToCommand(s string) []*exec.Cmd {
|
func textToCommand(s string) []*exec.Cmd {
|
||||||
|
glog.V(3).Infof("textToCommand: %q\n", s)
|
||||||
cmds := []*exec.Cmd{}
|
cmds := []*exec.Cmd{}
|
||||||
|
|
||||||
cp := strings.Split(s, "|")
|
cp := strings.Split(s, "|")
|
||||||
@ -272,3 +244,86 @@ func isShellCommand(s string) bool {
|
|||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func performTest(audit string, commands []*exec.Cmd, tests *tests) (State, *testOutput, string) {
|
||||||
|
if len(strings.TrimSpace(audit)) == 0 {
|
||||||
|
return "", failTestItem("missing command"), ""
|
||||||
|
}
|
||||||
|
|
||||||
|
var out bytes.Buffer
|
||||||
|
state, retErrmsgs := runExecCommands(audit, commands, &out)
|
||||||
|
if len(state) > 0 {
|
||||||
|
return state, nil, ""
|
||||||
|
}
|
||||||
|
errmsgs := retErrmsgs
|
||||||
|
|
||||||
|
finalOutput := tests.execute(out.String())
|
||||||
|
if finalOutput == nil {
|
||||||
|
errmsgs += fmt.Sprintf("Final output is <<EMPTY>>. Failed to run: %s\n", audit)
|
||||||
|
}
|
||||||
|
|
||||||
|
return "", finalOutput, errmsgs
|
||||||
|
}
|
||||||
|
|
||||||
|
func runExecCommands(audit string, commands []*exec.Cmd, out *bytes.Buffer) (State, string) {
|
||||||
|
var err error
|
||||||
|
errmsgs := ""
|
||||||
|
|
||||||
|
// Check if command exists or exit with WARN.
|
||||||
|
for _, cmd := range commands {
|
||||||
|
if !isShellCommand(cmd.Path) {
|
||||||
|
return WARN, errmsgs
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Run commands.
|
||||||
|
n := len(commands)
|
||||||
|
if n == 0 {
|
||||||
|
// Likely a warning message.
|
||||||
|
return WARN, errmsgs
|
||||||
|
}
|
||||||
|
|
||||||
|
// Each command runs,
|
||||||
|
// cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
|
||||||
|
// cmd0 err should terminate chain
|
||||||
|
cs := commands
|
||||||
|
|
||||||
|
// Initialize command pipeline
|
||||||
|
cs[n-1].Stdout = out
|
||||||
|
i := 1
|
||||||
|
|
||||||
|
for i < n {
|
||||||
|
cs[i-1].Stdout, err = cs[i].StdinPipe()
|
||||||
|
if err != nil {
|
||||||
|
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
|
||||||
|
// Start command pipeline
|
||||||
|
i = 0
|
||||||
|
for i < n {
|
||||||
|
err := cs[i].Start()
|
||||||
|
if err != nil {
|
||||||
|
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
|
||||||
|
// Complete command pipeline
|
||||||
|
i = 0
|
||||||
|
for i < n {
|
||||||
|
err := cs[i].Wait()
|
||||||
|
if err != nil {
|
||||||
|
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if i < n-1 {
|
||||||
|
cs[i].Stdout.(io.Closer).Close()
|
||||||
|
}
|
||||||
|
i++
|
||||||
|
}
|
||||||
|
|
||||||
|
glog.V(3).Infof("Command %q - Output:\n\n %s\n", audit, out.String())
|
||||||
|
return "", errmsgs
|
||||||
|
}
|
||||||
|
@ -25,14 +25,13 @@ func TestCheck_Run(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
testCases := []TestCase{
|
testCases := []TestCase{
|
||||||
{check: Check{Type: "manual"}, Expected: WARN},
|
{check: Check{Type: MANUAL}, Expected: WARN},
|
||||||
{check: Check{Type: "skip"}, Expected: INFO},
|
{check: Check{Type: "skip"}, Expected: INFO},
|
||||||
{check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn
|
{check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn
|
||||||
{check: Check{Type: "", Scored: true}, Expected: WARN}, // If there are no tests in the check, warn
|
{check: Check{Type: "", Scored: true}, Expected: WARN}, // If there are no tests in the check, warn
|
||||||
{check: Check{Type: "manual", Scored: false}, Expected: WARN},
|
{check: Check{Type: MANUAL, Scored: false}, Expected: WARN},
|
||||||
{check: Check{Type: "skip", Scored: false}, Expected: INFO},
|
{check: Check{Type: "skip", Scored: false}, Expected: INFO},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, testCase := range testCases {
|
for _, testCase := range testCases {
|
||||||
|
|
||||||
testCase.check.run()
|
testCase.check.run()
|
||||||
@ -42,3 +41,55 @@ func TestCheck_Run(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCheckAuditConfig(t *testing.T) {
|
||||||
|
|
||||||
|
cases := []struct {
|
||||||
|
*Check
|
||||||
|
expected State
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[0],
|
||||||
|
"PASS",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[1],
|
||||||
|
"FAIL",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[2],
|
||||||
|
"FAIL",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[3],
|
||||||
|
"PASS",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[4],
|
||||||
|
"FAIL",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[5],
|
||||||
|
"PASS",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[6],
|
||||||
|
"FAIL",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[7],
|
||||||
|
"PASS",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
controls.Groups[1].Checks[8],
|
||||||
|
"FAIL",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, c := range cases {
|
||||||
|
c.run()
|
||||||
|
if c.State != c.expected {
|
||||||
|
t.Errorf("%s, expected:%v, got:%v\n", c.Text, c.expected, c.State)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -17,6 +17,7 @@ package check
|
|||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"gopkg.in/yaml.v2"
|
"gopkg.in/yaml.v2"
|
||||||
)
|
)
|
||||||
@ -69,7 +70,12 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
|
|||||||
// Prepare audit commands
|
// Prepare audit commands
|
||||||
for _, group := range c.Groups {
|
for _, group := range c.Groups {
|
||||||
for _, check := range group.Checks {
|
for _, check := range group.Checks {
|
||||||
|
glog.V(3).Infof("Check.ID %s", check.ID)
|
||||||
check.Commands = textToCommand(check.Audit)
|
check.Commands = textToCommand(check.Audit)
|
||||||
|
if len(check.AuditConfig) > 0 {
|
||||||
|
glog.V(3).Infof("Check.ID has audit_config %s", check.ID)
|
||||||
|
check.ConfigCommands = textToCommand(check.AuditConfig)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
113
check/data
113
check/data
@ -307,3 +307,116 @@ groups:
|
|||||||
op: regex
|
op: regex
|
||||||
value: '^1\.12.*$'
|
value: '^1\.12.*$'
|
||||||
set: true
|
set: true
|
||||||
|
|
||||||
|
- id: 2.1
|
||||||
|
text: "audit and audit_config commands"
|
||||||
|
checks:
|
||||||
|
- id: 0
|
||||||
|
text: "audit finds flag and passes, audit_config doesn't exist -> pass"
|
||||||
|
audit: "echo flag=correct"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 1
|
||||||
|
text: "audit finds flag and fails, audit_config doesn't exist -> fail"
|
||||||
|
audit: "echo flag=wrong"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 2
|
||||||
|
text: "audit doesn't find flag, audit_config doesn't exist -> fail"
|
||||||
|
audit: "echo somethingElse=correct"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 3
|
||||||
|
text: "audit doesn't find flag, audit_config has correct setting -> pass"
|
||||||
|
audit: "echo somethingElse=correct"
|
||||||
|
audit_config: "echo 'flag: correct'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 4
|
||||||
|
text: "audit doesn't find flag, audit_config has wrong setting -> fail"
|
||||||
|
audit: "echo somethingElse=correct"
|
||||||
|
audit_config: "echo 'flag: wrong'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 5
|
||||||
|
text: "audit finds correct flag, audit_config has wrong setting -> pass"
|
||||||
|
audit: "echo flag=correct"
|
||||||
|
audit_config: "echo 'flag: wrong'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 6
|
||||||
|
text: "neither audit nor audit_config has correct setting -> fail"
|
||||||
|
audit: "echo flag=wrong"
|
||||||
|
audit_config: "echo 'flag: wrong'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 7
|
||||||
|
text: "audit isn't present, superfluous flag field,audit_config is correct -> pass"
|
||||||
|
audit_config: "echo 'flag: correct'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
- id: 8
|
||||||
|
text: "audit isn't present, superfluous flag field,audit_config is wrong -> fail"
|
||||||
|
audit_config: "echo 'flag: wrong'"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "flag"
|
||||||
|
path: "{.flag}"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "correct"
|
||||||
|
set: true
|
||||||
|
scored: true
|
||||||
|
@ -216,6 +216,7 @@ func loadConfig(nodetype check.NodeType) string {
|
|||||||
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
|
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
path, err := getConfigFilePath(kubeVersion, runningVersion, file)
|
path, err := getConfigFilePath(kubeVersion, runningVersion, file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))
|
exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))
|
||||||
|
Loading…
Reference in New Issue
Block a user