mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 17:38:21 +00:00
Fixing OCP checks for rh-1.0 (#1259)
This commit is contained in:
parent
377a05f872
commit
3b8379f081
@ -40,9 +40,9 @@ groups:
|
|||||||
#To view openshift apiserver log files
|
#To view openshift apiserver log files
|
||||||
oc adm node-logs --role=master --path=openshift-apiserver/
|
oc adm node-logs --role=master --path=openshift-apiserver/
|
||||||
#To verify kube apiserver audit config
|
#To verify kube apiserver audit config
|
||||||
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
|
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
|
||||||
#To verify openshift apiserver audit config
|
#To verify openshift apiserver audit config
|
||||||
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
|
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
|
||||||
type: manual
|
type: manual
|
||||||
remediation: |
|
remediation: |
|
||||||
No remediation required.
|
No remediation required.
|
||||||
@ -52,9 +52,9 @@ groups:
|
|||||||
text: "Ensure that the audit policy covers key security concerns (Manual)"
|
text: "Ensure that the audit policy covers key security concerns (Manual)"
|
||||||
audit: |
|
audit: |
|
||||||
#To verify openshift apiserver audit config
|
#To verify openshift apiserver audit config
|
||||||
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
|
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
|
||||||
#To verify kube apiserver audit config
|
#To verify kube apiserver audit config
|
||||||
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
|
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
|
||||||
type: manual
|
type: manual
|
||||||
remediation: |
|
remediation: |
|
||||||
In OpenShift 4.6 and higher, if appropriate for your needs,
|
In OpenShift 4.6 and higher, if appropriate for your needs,
|
||||||
|
@ -57,7 +57,7 @@ groups:
|
|||||||
# Returns 0 if found, 1 if not found
|
# Returns 0 if found, 1 if not found
|
||||||
for i in $(oc get pods -oname -n openshift-etcd)
|
for i in $(oc get pods -oname -n openshift-etcd)
|
||||||
do
|
do
|
||||||
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$?
|
||||||
done 2>/dev/null
|
done 2>/dev/null
|
||||||
use_multiple_values: true
|
use_multiple_values: true
|
||||||
tests:
|
tests:
|
||||||
@ -118,7 +118,7 @@ groups:
|
|||||||
# Returns 0 if found, 1 if not found
|
# Returns 0 if found, 1 if not found
|
||||||
for i in $(oc get pods -oname -n openshift-etcd)
|
for i in $(oc get pods -oname -n openshift-etcd)
|
||||||
do
|
do
|
||||||
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
|
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$?
|
||||||
done 2>/dev/null
|
done 2>/dev/null
|
||||||
use_multiple_values: true
|
use_multiple_values: true
|
||||||
tests:
|
tests:
|
||||||
|
@ -129,7 +129,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.8
|
- id: 1.1.8
|
||||||
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
|
text: "Ensure that the etcd pod specification file ownership is set to root:root (Manual)"
|
||||||
audit: |
|
audit: |
|
||||||
for i in $( oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
|
for i in $( oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
|
||||||
do
|
do
|
||||||
@ -141,7 +141,7 @@ groups:
|
|||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
remediation: |
|
remediation: |
|
||||||
No remediation required; file permissions are managed by the operator.
|
No remediation required; file permissions are managed by the operator.
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
|
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
|
||||||
@ -316,7 +316,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
|
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Manual)"
|
||||||
audit: |
|
audit: |
|
||||||
# Should return root:root for all files and directories
|
# Should return root:root for all files and directories
|
||||||
for i in $(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[*].metadata.name}')
|
for i in $(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[*].metadata.name}')
|
||||||
@ -334,7 +334,7 @@ groups:
|
|||||||
- flag: "root:root"
|
- flag: "root:root"
|
||||||
remediation: |
|
remediation: |
|
||||||
No remediation required; file permissions are managed by the operator.
|
No remediation required; file permissions are managed by the operator.
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.20
|
- id: 1.1.20
|
||||||
text: "Ensure that the OpenShift PKI certificate file permissions are set to 644 or more restrictive (Manual)"
|
text: "Ensure that the OpenShift PKI certificate file permissions are set to 644 or more restrictive (Manual)"
|
||||||
@ -381,9 +381,9 @@ groups:
|
|||||||
text: "Ensure that anonymous requests are authorized (Manual)"
|
text: "Ensure that anonymous requests are authorized (Manual)"
|
||||||
audit: |
|
audit: |
|
||||||
# To verify that userGroups include system:unauthenticated
|
# To verify that userGroups include system:unauthenticated
|
||||||
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
|
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
|
||||||
# To verify that userGroups include system:unauthenticated
|
# To verify that userGroups include system:unauthenticated
|
||||||
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[].userGroups'
|
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?.userGroups'
|
||||||
# To verify RBAC is enabled
|
# To verify RBAC is enabled
|
||||||
oc get clusterrolebinding
|
oc get clusterrolebinding
|
||||||
oc get clusterrole
|
oc get clusterrole
|
||||||
|
@ -199,7 +199,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
|
||||||
type: manual
|
type: manual
|
||||||
# Takes a lot of time for connection to fail and
|
# Takes a lot of time for connection to fail and
|
||||||
audit: |
|
audit: |
|
||||||
@ -215,7 +215,7 @@ groups:
|
|||||||
- flag: "Connection timed out"
|
- flag: "Connection timed out"
|
||||||
remediation: |
|
remediation: |
|
||||||
None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes.
|
None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes.
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 4.2.3
|
- id: 4.2.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||||
@ -346,7 +346,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 4.2.9
|
- id: 4.2.9
|
||||||
text: "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture (Automated)"
|
text: "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture (Manual)"
|
||||||
audit: |
|
audit: |
|
||||||
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}');
|
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}');
|
||||||
do
|
do
|
||||||
@ -359,7 +359,7 @@ groups:
|
|||||||
Follow the documentation to edit kubelet parameters
|
Follow the documentation to edit kubelet parameters
|
||||||
https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters
|
https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters
|
||||||
KubeAPIQPS: <QPS>
|
KubeAPIQPS: <QPS>
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 4.2.10
|
- id: 4.2.10
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
|
||||||
|
Loading…
Reference in New Issue
Block a user