1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-23 00:28:07 +00:00

Issue #353: Merges JSON and Exec Params files (#426)

* starts fixes #353

* new approach to minize duplications

* applied merged yaml files for v1.11 and v1.13

* yaml files json/params merged

* fixes to remove double quotes from numbers and booleans

* fixed bug

* fixed certificate check

* removed -json files

* changes based on PR review

* Update check/check_test.go

Yay more tests!

Co-Authored-By: Liz Rice <liz@lizrice.com>

* changes as PR review

* fixed bug when scored check is missing tests

* attempt to improve the code

* fixed list breaks

* removes handleError function

* Update check/check.go

Accepting suggested log level.

Co-Authored-By: Liz Rice <liz@lizrice.com>
This commit is contained in:
Roberto Rojas 2019-10-14 10:37:10 -04:00 committed by GitHub
parent c22f81610d
commit 3aa41db166
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 1139 additions and 1912 deletions

View File

@ -1,16 +0,0 @@
---
# Config file for systems such as EKS where config is in JSON files
# Master nodes are controlled by EKS and not user-accessible
node:
kubernetes:
confs:
- "/var/lib/kubelet/kubeconfig"
kubeconfig:
- "/var/lib/kubelet/kubeconfig"
kubelet:
defaultsvc: "/etc/systemd/system/kubelet.service"
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
proxy:
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"

View File

@ -1,523 +0,0 @@
---
controls:
version: 1.11
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--allow-privileged"
compare:
op: eq
value: false
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--allow-privileged=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authorization.mode}"
compare:
op: noteq
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.x509.clientCAFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.readOnlyPort}"
compare:
op: eq
value: "0"
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.streamingConnectionIdleTimeout}"
set: false
- path: "{.streamingConnectionIdleTimeout}"
compare:
op: noteq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.protectKernelDefaults}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.makeIPTablesUtilChains}"
set: false
- path: "{.makeIPTablesUtilChains}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.hostnameOverride}"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.eventRecordQPS}"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: and
test_items:
- path: "{.tlsCertFile}"
set: true
- path: "{.tlsPrivateKeyFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.cadvisorPort}"
compare:
op: eq
value: 0
set: true
- path: "{.cadvisorPort}"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.rotateCertificates}"
set: false
- path: "{.rotateCertificates}"
compare:
op: noteq
value: "false"
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.featureGates.RotateKubeletServerCertificate}"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.tlsCipherSuites}"
compare:
op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
Note - This test reports "FAIL" if kube-proxy has been configured
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
as the kube-proxy does not expose the kubeconfig file to the worker node.
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
Note - This test reports "FAIL" if kube-proxy has been configured
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
as the kube-proxy does not expose the kubeconfig file to the worker node.
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

View File

@ -1,23 +1,23 @@
--- ---
controls: controls:
version: 1.11 version: "1.11"
id: 2 id: "2"
text: "Worker Node Security Configuration" text: Worker Node Security Configuration
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: "2.1"
text: "Kubelet" text: Kubelet
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: Ensure that the --allow-privileged argument is set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
- flag: "--allow-privileged" - flag: --allow-privileged
set: true
compare: compare:
op: eq op: eq
value: false value: false
set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
@ -28,15 +28,17 @@ groups:
scored: true scored: true
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: Ensure that the --anonymous-auth argument is set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: --anonymous-auth
path: '{.authentication.anonymous.enabled}'
set: true
compare: compare:
op: eq op: eq
value: false value: false
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false . false .
@ -50,15 +52,17 @@ groups:
scored: true scored: true
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare: compare:
op: nothave op: nothave
value: "AlwaysAllow" value: AlwaysAllow
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
@ -71,11 +75,13 @@ groups:
scored: true scored: true
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
@ -90,15 +96,17 @@ groups:
scored: true scored: true
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: Ensure that the --read-only-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: --read-only-port
path: '{.readOnlyPort}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -111,18 +119,21 @@ groups:
scored: true scored: true
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: true
compare: compare:
op: noteq op: noteq
value: 0 value: 0
set: true - flag: --streaming-connection-idle-timeout
- flag: "--streaming-connection-idle-timeout" path: '{.streamingConnectionIdleTimeout}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0. value other than 0.
@ -136,15 +147,17 @@ groups:
scored: true scored: true
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -157,18 +170,21 @@ groups:
scored: true scored: true
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--make-iptables-util-chains" - flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true - flag: --make-iptables-util-chains
- flag: "--make-iptables-util-chains" path: '{.makeIPTablesUtilChains}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true . If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -181,11 +197,13 @@ groups:
scored: true scored: true
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)" text: Ensure that the --hostname-override argument is not set (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: --hostname-override
path: '{.hostnameOverride}'
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
@ -197,15 +215,17 @@ groups:
scored: true scored: true
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: Ensure that the --event-qps argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -218,15 +238,18 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "--tls-cert-file" - flag: --tls-cert-file
path: '{.tlsCertFile}'
set: true set: true
- flag: "--tls-private-key-file" - flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
set: true set: true
bin_op: and
remediation: | remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
@ -242,18 +265,21 @@ groups:
scored: true scored: true
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: Ensure that the --cadvisor-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--cadvisor-port" - flag: --cadvisor-port
path: '{.cadvisorPort}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true - flag: --cadvisor-port
- flag: "--cadvisor-port" path: '{.cadvisorPort}'
set: false set: false
bin_op: or
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
@ -264,18 +290,21 @@ groups:
scored: true scored: true
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: Ensure that the --rotate-certificates argument is not set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--rotate-certificates" - flag: --rotate-certificates
path: '{.rotateCertificates}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true - flag: --rotate-certificates
- flag: "--rotate-certificates" path: '{.rotateCertificates}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc If using command line arguments, edit the kubelet service file $kubeletsvc
@ -286,15 +315,17 @@ groups:
scored: true scored: true
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
@ -305,208 +336,206 @@ groups:
scored: true scored: true
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: --tls-cipher-suites
path: '{.tlsCipherSuites}'
set: true
compare: compare:
op: valid_elements op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false scored: false
- id: 2.2 - id: "2.2"
text: "Configuration Files" text: Configuration Files
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
more restrictive (Scored)" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'" tests:
tests: test_items:
bin_op: or - flag: "644"
test_items: set: true
- flag: "644" compare:
compare: op: eq
op: eq value: "644"
value: "644" - flag: "640"
set: true set: true
- flag: "640" compare:
compare: op: eq
op: eq value: "640"
value: "640" - flag: "600"
set: true set: true
- flag: "600" compare:
compare: op: eq
op: eq value: "600"
value: "600" bin_op: or
set: true remediation: |
remediation: | Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker node. For example,
node. For example, chmod 644 $kubeletkubeconfig
chmod 644 $kubeletkubeconfig scored: true
scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: Ensure that the kubelet.conf file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
compare: set: true
op: eq compare:
value: root:root op: eq
set: true value: root:root
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletkubeconfig chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
more restrictive (Scored)" audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'" tests:
tests: test_items:
bin_op: or - flag: "644"
test_items: set: true
- flag: "644" compare:
compare: op: eq
op: eq value: "644"
value: 644 - flag: "640"
set: true set: true
- flag: "640" compare:
compare: op: eq
op: eq value: "640"
value: "640" - flag: "600"
set: true set: true
- flag: "600" compare:
compare: op: eq
op: eq value: "600"
value: "600" bin_op: or
set: true remediation: |
remediation: | Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker node. For example,
node. For example, chmod 755 $kubeletsvc
chmod 755 $kubeletsvc scored: true
scored: true
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" text: Ensure that the kubelet service file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'" audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletsvc chown root:root $kubeletsvc
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'" audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
tests: tests:
bin_op: or test_items:
test_items: - flag: "644"
- flag: "644" set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true - flag: "640"
- flag: "640" set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true - flag: "600"
- flag: "600" set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxykubeconfig chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'" audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxykubeconfig chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
644 or more restrictive (Scored)" type: manual
type: "manual" remediation: |
remediation: | Run the following command to modify the file permissions of the --client-ca-file
[Manual test] chmod 644 <filename>
Run the following command to modify the file permissions of the --client-ca-file scored: true
chmod 644 <filename>
scored: true
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
compare: set: true
op: eq compare:
value: root:root op: eq
set: true value: root:root
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>
scored: true scored: true
- id: 2.2.9 - id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: Ensure that the kubelet configuration file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf chown root:root $kubeletconf
scored: true scored: true
- id: 2.2.10 - id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
tests: tests:
bin_op: or test_items:
test_items: - flag: "644"
- flag: "644" set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true - flag: "640"
- flag: "640" set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true - flag: "600"
- flag: "600" set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true bin_op: or
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf chmod 644 $kubeletconf
scored: true scored: true

View File

@ -1,16 +0,0 @@
---
# Config file for systems such as EKS where config is in JSON files
# Master nodes are controlled by EKS and not user-accessible
node:
kubernetes:
confs:
- "/var/lib/kubelet/kubeconfig"
kubeconfig:
- "/var/lib/kubelet/kubeconfig"
kubelet:
defaultsvc: "/etc/systemd/system/kubelet.service"
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"
proxy:
defaultkubeconfig: "/var/lib/kubelet/kubeconfig"

View File

@ -1,505 +0,0 @@
---
controls:
version: 1.13
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 2.1
text: "Kubelet"
checks:
- id: 2.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: false
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false .
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authorization.mode}"
compare:
op: nothave
value: "AlwaysAllow"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.authentication.x509.clientCAFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.readOnlyPort}"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.streamingConnectionIdleTimeout}"
compare:
op: noteq
value: 0
set: true
- path: "{.streamingConnectionIdleTimeout}"
set: false
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.protectKernelDefaults}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: or
test_items:
- path: "{.makeIPTablesUtilChains}"
compare:
op: eq
value: true
set: true
- path: "{.makeIPTablesUtilChains}"
set: false
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.8
text: "Ensure that the --hostname-override argument is not set (Scored)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
tests:
test_items:
- flag: "--hostname-override"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.9
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.eventRecordQPS}"
compare:
op: eq
value: 0
set: true
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "cat $kubeletconf"
tests:
bin_op: and
test_items:
- path: "{.tlsCertFile}"
set: true
- path: "{.tlsPrivateKeyFile}"
set: true
remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.11
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
type: "skip"
tests:
bin_op: or
test_items:
- flag: "--cadvisor-port"
compare:
op: eq
value: 0
set: true
- flag: "--cadvisor-port"
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
--cadvisor-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 2.1.12
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.rotateCertificates}"
compare:
op: eq
value: true
set: true
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.13
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{.featureGates.RotateKubeletServerCertificate}"
compare:
op: eq
value: true
set: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 2.1.14
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "cat $kubeletconf"
tests:
test_items:
- path: "{range .tlsCipherSuites[:]}{}{','}{end}"
compare:
op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
set: true
remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 2.2
text: "Configuration Files"
checks:
- id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $kubeletkubeconfig
scored: true
- id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: 644
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 755 $kubeletsvc
scored: true
- id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $kubeletsvc
scored: true
- id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chmod 644 $proxykubeconfig
Note - This test reports "FAIL" if kube-proxy has been configured
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
as the kube-proxy does not expose the kubeconfig file to the worker node.
scored: true
- id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the below command (based on the file location on your system) on the each worker
node. For example,
chown root:root $proxykubeconfig
Note - This test reports "FAIL" if kube-proxy has been configured
using a kubernetes configMap. Only under this situation, the "FAIL" can safely be ignored
as the kube-proxy does not expose the kubeconfig file to the worker node.
scored: true
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: |
Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename>
scored: true
- id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests:
test_items:
- flag: "root:root"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf
scored: true
- id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf
scored: true

View File

@ -1,23 +1,25 @@
--- ---
controls: controls:
version: 1.13 version: "1.13"
id: 2 id: "2"
text: "Worker Node Security Configuration" text: Worker Node Security Configuration
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: "2.1"
text: "Kubelet" text: Kubelet
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: Ensure that the --anonymous-auth argument is set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare: compare:
op: eq op: eq
value: false value: false
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false . false .
@ -31,15 +33,17 @@ groups:
scored: true scored: true
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare: compare:
op: nothave op: nothave
value: "AlwaysAllow" value: AlwaysAllow
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file If using executable arguments, edit the kubelet service file
@ -52,11 +56,13 @@ groups:
scored: true scored: true
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
@ -71,15 +77,17 @@ groups:
scored: true scored: true
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: Ensure that the --read-only-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0 . If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -92,18 +100,21 @@ groups:
scored: true scored: true
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: true
compare: compare:
op: noteq op: noteq
value: 0 value: 0
set: true - flag: --streaming-connection-idle-timeout
- flag: "--streaming-connection-idle-timeout" path: '{.streamingConnectionIdleTimeout}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0. value other than 0.
@ -117,15 +128,17 @@ groups:
scored: true scored: true
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true . If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -138,18 +151,21 @@ groups:
scored: true scored: true
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--make-iptables-util-chains" - flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true - flag: --make-iptables-util-chains
- flag: "--make-iptables-util-chains" path: '{.makeIPTablesUtilChains}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true . If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -162,11 +178,14 @@ groups:
scored: true scored: true
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --hostname-override argument is not set (Scored)" text: Ensure that the --hostname-override argument is not set (Scored)
audit: "ps -fC $kubeletbin" # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: --hostname-override
set: false set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
@ -178,15 +197,17 @@ groups:
scored: true scored: true
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: Ensure that the --event-qps argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: 0 . If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
@ -199,15 +220,18 @@ groups:
scored: true scored: true
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "--tls-cert-file" - flag: --tls-cert-file
path: '{.tlsCertFile}'
set: true set: true
- flag: "--tls-private-key-file" - flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
set: true set: true
bin_op: and
remediation: | remediation: |
If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
@ -223,19 +247,22 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)" text: '[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0'
audit: "ps -fC $kubeletbin" # This is one of those properties that can only be set as a command line argument.
type: "skip" # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin "
type: skip
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--cadvisor-port" - flag: --cadvisor-port
set: true
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true - flag: --cadvisor-port
- flag: "--cadvisor-port"
set: false set: false
bin_op: or
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
@ -246,18 +273,21 @@ groups:
scored: false scored: false
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: Ensure that the --rotate-certificates argument is not set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--rotate-certificates" - flag: --rotate-certificates
path: '{.rotateCertificates}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true - flag: --rotate-certificates
- flag: "--rotate-certificates" path: '{.rotateCertificates}'
set: false set: false
bin_op: or
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file $kubeletsvc If using command line arguments, edit the kubelet service file $kubeletsvc
@ -268,15 +298,17 @@ groups:
scored: true scored: true
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare: compare:
op: eq op: eq
value: true value: true
set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletsvc Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
@ -287,208 +319,207 @@ groups:
scored: true scored: true
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
audit_config: "cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: --tls-cipher-suites
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
set: true
compare: compare:
op: valid_elements op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter. If using executable arguments, edit the kubelet service file $kubeletsvc on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false scored: false
- id: 2.2 - id: "2.2"
text: "Configuration Files" text: Configuration Files
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or text: Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
more restrictive (Scored)" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'' '
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'" tests:
tests: test_items:
bin_op: or - flag: "644"
test_items: set: true
- flag: "644" compare:
compare: op: eq
op: eq value: "644"
value: "644" - flag: "640"
set: true set: true
- flag: "640" compare:
compare: op: eq
op: eq value: "640"
value: "640" - flag: "600"
set: true set: true
- flag: "600" compare:
compare: op: eq
op: eq value: "600"
value: "600" bin_op: or
set: true remediation: |
remediation: | Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker node. For example,
node. For example, chmod 644 $kubeletkubeconfig
chmod 644 $kubeletkubeconfig scored: true
scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: Ensure that the kubelet.conf file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'" audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
compare: set: true
op: eq compare:
value: root:root op: eq
set: true value: root:root
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletkubeconfig chown root:root $kubeletkubeconfig
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or text: Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
more restrictive (Scored)" audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'' '
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'" tests:
tests: test_items:
bin_op: or - flag: "644"
test_items: set: true
- flag: "644" compare:
compare: op: eq
op: eq value: "644"
value: 644 - flag: "640"
set: true set: true
- flag: "640" compare:
compare: op: eq
op: eq value: "640"
value: "640" - flag: "600"
set: true set: true
- flag: "600" compare:
compare: op: eq
op: eq value: "600"
value: "600" bin_op: or
set: true remediation: |
remediation: | Run the below command (based on the file location on your system) on the each worker
Run the below command (based on the file location on your system) on the each worker node. For example,
node. For example, chmod 755 $kubeletsvc
chmod 755 $kubeletsvc scored: true
scored: true
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" text: Ensure that the kubelet service file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'" audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $kubeletsvc chown root:root $kubeletsvc
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'" audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
tests: tests:
bin_op: or test_items:
test_items: - flag: "644"
- flag: "644" set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true - flag: "640"
- flag: "640" set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true - flag: "600"
- flag: "600" set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chmod 644 $proxykubeconfig chmod 644 $proxykubeconfig
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'" audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker Run the below command (based on the file location on your system) on the each worker
node. For example, node. For example,
chown root:root $proxykubeconfig chown root:root $proxykubeconfig
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
644 or more restrictive (Scored)" type: manual
type: "manual" tests: {}
remediation: | remediation: |
[Manual test] Run the following command to modify the file permissions of the --client-ca-file
Run the following command to modify the file permissions of the --client-ca-file chmod 644 <filename>
chmod 644 <filename> scored: true
scored: true
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: Ensure that the client certificate authorities file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'" audit: '/bin/sh -c ''if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
compare: set: true
op: eq compare:
value: root:root op: eq
set: true value: root:root
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>
scored: true scored: true
- id: 2.2.9 - id: 2.2.9
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: Ensure that the kubelet configuration file ownership is set to root:root (Scored)
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: root:root
set: true set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chown root:root $kubeletconf chown root:root $kubeletconf
scored: true scored: true
- id: 2.2.10 - id: 2.2.10
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
tests: tests:
bin_op: or test_items:
test_items: - flag: "644"
- flag: "644" set: true
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true - flag: "640"
- flag: "640" set: true
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true - flag: "600"
- flag: "600" set: true
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true bin_op: or
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identied in the Audit step)
chmod 644 $kubeletconf chmod 644 $kubeletconf
scored: true scored: true

View File

@ -102,6 +102,7 @@ node:
- "/etc/kubernetes/kubelet/kubelet-config.json" - "/etc/kubernetes/kubelet/kubelet-config.json"
- "/home/kubernetes/kubelet-config.yaml" - "/home/kubernetes/kubelet-config.yaml"
- "/etc/default/kubelet" - "/etc/default/kubelet"
- "/var/lib/kubelet/kubeconfig"
## Due to the fact that the kubelet might be configured ## Due to the fact that the kubelet might be configured
## without a kubelet-config file, we use a work-around ## without a kubelet-config file, we use a work-around
## of pointing to the systemd service file (which can also ## of pointing to the systemd service file (which can also

View File

@ -46,14 +46,12 @@ const (
MASTER NodeType = "master" MASTER NodeType = "master"
// NODE a node // NODE a node
NODE NodeType = "node" NODE NodeType = "node"
) // FEDERATED a federated deployment.
FEDERATED NodeType = "federated"
func handleError(err error, context string) (errmsg string) { // MANUAL Check Type
if err != nil { MANUAL string = "manual"
errmsg = fmt.Sprintf("%s, error: %s\n", context, err) )
}
return
}
// Check contains information about a recommendation in the // Check contains information about a recommendation in the
// CIS Kubernetes 1.6+ document. // CIS Kubernetes 1.6+ document.
@ -61,8 +59,10 @@ type Check struct {
ID string `yaml:"id" json:"test_number"` ID string `yaml:"id" json:"test_number"`
Text string `json:"test_desc"` Text string `json:"test_desc"`
Audit string `json:"audit"` Audit string `json:"audit"`
AuditConfig string `yaml:"audit_config"`
Type string `json:"type"` Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"` Commands []*exec.Cmd `json:"omit"`
ConfigCommands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"` Tests *tests `json:"omit"`
Set bool `json:"omit"` Set bool `json:"omit"`
Remediation string `json:"remediation"` Remediation string `json:"remediation"`
@ -94,6 +94,14 @@ func (r *defaultRunner) Run(c *Check) State {
// the results. // the results.
func (c *Check) run() State { func (c *Check) run() State {
// Since this is an Scored check
// without tests return a 'WARN' to alert
// the user that this check needs attention
if c.Scored && len(strings.TrimSpace(c.Type)) == 0 && c.Tests == nil {
c.State = WARN
return c.State
}
// If check type is skip, force result to INFO // If check type is skip, force result to INFO
if c.Type == "skip" { if c.Type == "skip" {
c.State = INFO c.State = INFO
@ -101,109 +109,72 @@ func (c *Check) run() State {
} }
// If check type is manual force result to WARN // If check type is manual force result to WARN
if c.Type == "manual" { if c.Type == MANUAL {
c.State = WARN c.State = WARN
return c.State return c.State
} }
var out bytes.Buffer lastCommand := c.Audit
var errmsgs string hasAuditConfig := c.ConfigCommands != nil
// Check if command exists or exit with WARN. state, finalOutput, retErrmsgs := performTest(c.Audit, c.Commands, c.Tests)
for _, cmd := range c.Commands { if len(state) > 0 {
if !isShellCommand(cmd.Path) { c.State = state
c.State = WARN return c.State
}
errmsgs := retErrmsgs
// If something went wrong with the 'Audit' command
// and an 'AuditConfig' command was provided, use it to
// execute tests
if (finalOutput == nil || !finalOutput.testResult) && hasAuditConfig {
lastCommand = c.AuditConfig
nItems := len(c.Tests.TestItems)
// The reason we're creating a copy of the "tests"
// is so that tests can executed
// with the AuditConfig command
// against the Path only
currentTests := &tests{
BinOp: c.Tests.BinOp,
TestItems: make([]*testItem, nItems),
}
for i := 0; i < nItems; i++ {
ti := c.Tests.TestItems[i]
nti := &testItem{
// Path is used to test Command Param values
// AuditConfig ==> Path
Path: ti.Path,
Set: ti.Set,
Compare: ti.Compare,
}
currentTests.TestItems[i] = nti
}
state, finalOutput, retErrmsgs = performTest(c.AuditConfig, c.ConfigCommands, currentTests)
if len(state) > 0 {
c.State = state
return c.State return c.State
} }
errmsgs += retErrmsgs
} }
// Run commands. if finalOutput != nil && finalOutput.testResult {
n := len(c.Commands) c.State = PASS
if n == 0 {
// Likely a warning message.
c.State = WARN
return c.State
}
// Each command runs,
// cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
// cmd0 err should terminate chain
cs := c.Commands
// Initialize command pipeline
cs[n-1].Stdout = &out
i := 1
var err error
errmsgs = ""
for i < n {
cs[i-1].Stdout, err = cs[i].StdinPipe()
errmsgs += handleError(
err,
fmt.Sprintf("failed to run: %s\nfailed command: %s",
c.Audit,
cs[i].Args,
),
)
i++
}
// Start command pipeline
i = 0
for i < n {
err := cs[i].Start()
errmsgs += handleError(
err,
fmt.Sprintf("failed to run: %s\nfailed command: %s",
c.Audit,
cs[i].Args,
),
)
i++
}
// Complete command pipeline
i = 0
for i < n {
err := cs[i].Wait()
errmsgs += handleError(
err,
fmt.Sprintf("failed to run: %s\nfailed command:%s",
c.Audit,
cs[i].Args,
),
)
if i < n-1 {
cs[i].Stdout.(io.Closer).Close()
}
i++
}
glog.V(3).Info(out.String())
finalOutput := c.Tests.execute(out.String())
if finalOutput != nil {
c.ActualValue = finalOutput.actualResult c.ActualValue = finalOutput.actualResult
c.ExpectedResult = finalOutput.ExpectedResult c.ExpectedResult = finalOutput.ExpectedResult
if finalOutput.testResult { glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t Score: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State)
c.State = PASS
} else {
if c.Scored {
c.State = FAIL
} else {
c.State = WARN
}
}
} else { } else {
errmsgs += handleError( if c.Scored {
fmt.Errorf("final output is nil"), c.State = FAIL
fmt.Sprintf("failed to run: %s\n", } else {
c.Audit, c.State = WARN
), }
) }
if finalOutput == nil {
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand)
} }
if errmsgs != "" { if errmsgs != "" {
@ -216,6 +187,7 @@ func (c *Check) run() State {
// run into a slice of commands. // run into a slice of commands.
// TODO: Make this more robust. // TODO: Make this more robust.
func textToCommand(s string) []*exec.Cmd { func textToCommand(s string) []*exec.Cmd {
glog.V(3).Infof("textToCommand: %q\n", s)
cmds := []*exec.Cmd{} cmds := []*exec.Cmd{}
cp := strings.Split(s, "|") cp := strings.Split(s, "|")
@ -272,3 +244,86 @@ func isShellCommand(s string) bool {
} }
return false return false
} }
func performTest(audit string, commands []*exec.Cmd, tests *tests) (State, *testOutput, string) {
if len(strings.TrimSpace(audit)) == 0 {
return "", failTestItem("missing command"), ""
}
var out bytes.Buffer
state, retErrmsgs := runExecCommands(audit, commands, &out)
if len(state) > 0 {
return state, nil, ""
}
errmsgs := retErrmsgs
finalOutput := tests.execute(out.String())
if finalOutput == nil {
errmsgs += fmt.Sprintf("Final output is <<EMPTY>>. Failed to run: %s\n", audit)
}
return "", finalOutput, errmsgs
}
func runExecCommands(audit string, commands []*exec.Cmd, out *bytes.Buffer) (State, string) {
var err error
errmsgs := ""
// Check if command exists or exit with WARN.
for _, cmd := range commands {
if !isShellCommand(cmd.Path) {
return WARN, errmsgs
}
}
// Run commands.
n := len(commands)
if n == 0 {
// Likely a warning message.
return WARN, errmsgs
}
// Each command runs,
// cmd0 out -> cmd1 in, cmd1 out -> cmd2 in ... cmdn out -> os.stdout
// cmd0 err should terminate chain
cs := commands
// Initialize command pipeline
cs[n-1].Stdout = out
i := 1
for i < n {
cs[i-1].Stdout, err = cs[i].StdinPipe()
if err != nil {
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
}
i++
}
// Start command pipeline
i = 0
for i < n {
err := cs[i].Start()
if err != nil {
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
}
i++
}
// Complete command pipeline
i = 0
for i < n {
err := cs[i].Wait()
if err != nil {
errmsgs += fmt.Sprintf("failed to run: %s, command: %s, error: %s\n", audit, cs[i].Args, err)
}
if i < n-1 {
cs[i].Stdout.(io.Closer).Close()
}
i++
}
glog.V(3).Infof("Command %q - Output:\n\n %s\n", audit, out.String())
return "", errmsgs
}

View File

@ -25,14 +25,13 @@ func TestCheck_Run(t *testing.T) {
} }
testCases := []TestCase{ testCases := []TestCase{
{check: Check{Type: "manual"}, Expected: WARN}, {check: Check{Type: MANUAL}, Expected: WARN},
{check: Check{Type: "skip"}, Expected: INFO}, {check: Check{Type: "skip"}, Expected: INFO},
{check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn {check: Check{Type: "", Scored: false}, Expected: WARN}, // Not scored checks with no type should be marked warn
{check: Check{Type: "", Scored: true}, Expected: WARN}, // If there are no tests in the check, warn {check: Check{Type: "", Scored: true}, Expected: WARN}, // If there are no tests in the check, warn
{check: Check{Type: "manual", Scored: false}, Expected: WARN}, {check: Check{Type: MANUAL, Scored: false}, Expected: WARN},
{check: Check{Type: "skip", Scored: false}, Expected: INFO}, {check: Check{Type: "skip", Scored: false}, Expected: INFO},
} }
for _, testCase := range testCases { for _, testCase := range testCases {
testCase.check.run() testCase.check.run()
@ -42,3 +41,55 @@ func TestCheck_Run(t *testing.T) {
} }
} }
} }
func TestCheckAuditConfig(t *testing.T) {
cases := []struct {
*Check
expected State
}{
{
controls.Groups[1].Checks[0],
"PASS",
},
{
controls.Groups[1].Checks[1],
"FAIL",
},
{
controls.Groups[1].Checks[2],
"FAIL",
},
{
controls.Groups[1].Checks[3],
"PASS",
},
{
controls.Groups[1].Checks[4],
"FAIL",
},
{
controls.Groups[1].Checks[5],
"PASS",
},
{
controls.Groups[1].Checks[6],
"FAIL",
},
{
controls.Groups[1].Checks[7],
"PASS",
},
{
controls.Groups[1].Checks[8],
"FAIL",
},
}
for _, c := range cases {
c.run()
if c.State != c.expected {
t.Errorf("%s, expected:%v, got:%v\n", c.Text, c.expected, c.State)
}
}
}

View File

@ -17,6 +17,7 @@ package check
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/golang/glog" "github.com/golang/glog"
"gopkg.in/yaml.v2" "gopkg.in/yaml.v2"
) )
@ -69,7 +70,12 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
// Prepare audit commands // Prepare audit commands
for _, group := range c.Groups { for _, group := range c.Groups {
for _, check := range group.Checks { for _, check := range group.Checks {
glog.V(3).Infof("Check.ID %s", check.ID)
check.Commands = textToCommand(check.Audit) check.Commands = textToCommand(check.Audit)
if len(check.AuditConfig) > 0 {
glog.V(3).Infof("Check.ID has audit_config %s", check.ID)
check.ConfigCommands = textToCommand(check.AuditConfig)
}
} }
} }

View File

@ -307,3 +307,116 @@ groups:
op: regex op: regex
value: '^1\.12.*$' value: '^1\.12.*$'
set: true set: true
- id: 2.1
text: "audit and audit_config commands"
checks:
- id: 0
text: "audit finds flag and passes, audit_config doesn't exist -> pass"
audit: "echo flag=correct"
tests:
test_items:
- flag: "flag"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 1
text: "audit finds flag and fails, audit_config doesn't exist -> fail"
audit: "echo flag=wrong"
tests:
test_items:
- flag: "flag"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 2
text: "audit doesn't find flag, audit_config doesn't exist -> fail"
audit: "echo somethingElse=correct"
tests:
test_items:
- flag: "flag"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 3
text: "audit doesn't find flag, audit_config has correct setting -> pass"
audit: "echo somethingElse=correct"
audit_config: "echo 'flag: correct'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 4
text: "audit doesn't find flag, audit_config has wrong setting -> fail"
audit: "echo somethingElse=correct"
audit_config: "echo 'flag: wrong'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 5
text: "audit finds correct flag, audit_config has wrong setting -> pass"
audit: "echo flag=correct"
audit_config: "echo 'flag: wrong'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 6
text: "neither audit nor audit_config has correct setting -> fail"
audit: "echo flag=wrong"
audit_config: "echo 'flag: wrong'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 7
text: "audit isn't present, superfluous flag field,audit_config is correct -> pass"
audit_config: "echo 'flag: correct'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true
- id: 8
text: "audit isn't present, superfluous flag field,audit_config is wrong -> fail"
audit_config: "echo 'flag: wrong'"
tests:
test_items:
- flag: "flag"
path: "{.flag}"
compare:
op: eq
value: "correct"
set: true
scored: true

View File

@ -216,6 +216,7 @@ func loadConfig(nodetype check.NodeType) string {
exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err)) exitWithError(fmt.Errorf("Version check failed: %s\nAlternatively, you can specify the version with --version", err))
} }
} }
path, err := getConfigFilePath(kubeVersion, runningVersion, file) path, err := getConfigFilePath(kubeVersion, runningVersion, file)
if err != nil { if err != nil {
exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err)) exitWithError(fmt.Errorf("can't find %s controls file in %s: %v", nodetype, cfgDir, err))