From 48e33d33e5fe83e1d775e6a3acea00cba83898c3 Mon Sep 17 00:00:00 2001 From: Murali Paluru Date: Tue, 7 Jan 2020 18:01:07 +0530 Subject: [PATCH] fix mismatching checks, tests (#544) --- cfg/cis-1.3/master.yaml | 8 +++--- cfg/cis-1.4/master.yaml | 38 ++++++++++++++-------------- integration/testdata/job-master.data | 22 ++++++++-------- integration/testdata/job.data | 22 ++++++++-------- 4 files changed, 45 insertions(+), 45 deletions(-) diff --git a/cfg/cis-1.3/master.yaml b/cfg/cis-1.3/master.yaml index 8dbbe0f..45f64b4 100644 --- a/cfg/cis-1.3/master.yaml +++ b/cfg/cis-1.3/master.yaml @@ -1437,7 +1437,7 @@ groups: scored: false - id: 1.7.2 - text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" + text: "Do not admit containers wishing to share the host process ID namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1445,7 +1445,7 @@ groups: scored: false - id: 1.7.3 - text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" + text: "Do not admit containers wishing to share the host IPC namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1453,7 +1453,7 @@ groups: scored: false - id: 1.7.4 - text: "Do not admit containers wishing to share the host network namespace (Not Scored)" + text: "Do not admit containers wishing to share the host network namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1461,7 +1461,7 @@ groups: scored: false - id: 1.7.5 - text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)" + text: "Do not admit containers with allowPrivilegeEscalation (Scored)" type: "manual" remediation: | [Manual test] diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml index af9f954..c206623 100644 --- a/cfg/cis-1.4/master.yaml +++ b/cfg/cis-1.4/master.yaml @@ -497,6 +497,21 @@ groups: scored: true - id: 1.1.30 + text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--etcd-cafile" + set: true + remediation: | + Follow the Kubernetes documentation and set up the TLS connection between the + apiserver and etcd. Then, edit the API server pod specification file + $apiserverconf on the master node and set the etcd + certificate authority file parameter. + --etcd-cafile= + scored: true + + - id: 1.1.31 text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" tests: @@ -512,21 +527,6 @@ groups: --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 scored: false - - id: 1.1.31 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" - tests: - test_items: - - flag: "--etcd-cafile" - set: true - remediation: | - Follow the Kubernetes documentation and set up the TLS connection between the - apiserver and etcd. Then, edit the API server pod specification file - $apiserverconf on the master node and set the etcd - certificate authority file parameter. - --etcd-cafile= - scored: true - - id: 1.1.32 text: "Ensure that the --authorization-mode argument is set to Node (Scored)" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" @@ -1501,7 +1501,7 @@ groups: scored: false - id: 1.7.2 - text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" + text: "Do not admit containers wishing to share the host process ID namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1509,7 +1509,7 @@ groups: scored: false - id: 1.7.3 - text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" + text: "Do not admit containers wishing to share the host IPC namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1517,7 +1517,7 @@ groups: scored: false - id: 1.7.4 - text: "Do not admit containers wishing to share the host network namespace (Not Scored)" + text: "Do not admit containers wishing to share the host network namespace (Scored)" type: "manual" remediation: | [Manual test] @@ -1525,7 +1525,7 @@ groups: scored: false - id: 1.7.5 - text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)" + text: " Do not admit containers with allowPrivilegeEscalation (Scored)" type: "manual" remediation: | [Manual test] diff --git a/integration/testdata/job-master.data b/integration/testdata/job-master.data index 24939bd..94b4742 100644 --- a/integration/testdata/job-master.data +++ b/integration/testdata/job-master.data @@ -29,8 +29,8 @@ [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) -[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) -[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored) +[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored) +[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored) [FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored) [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) @@ -92,10 +92,10 @@ [WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored) [INFO] 1.7 PodSecurityPolicies [WARN] 1.7.1 Do not admit privileged containers (Not Scored) -[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored) -[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored) -[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored) -[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored) +[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored) +[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored) +[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored) +[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored) [WARN] 1.7.6 Do not admit root containers (Not Scored) [WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored) @@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- on the master node and set the client certificate authority file. --client-ca-file= -1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml -on the master node and set the below parameter. ---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 - -1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the +1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate authority file parameter. --etcd-cafile= +1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +on the master node and set the below parameter. +--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 + 1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node. diff --git a/integration/testdata/job.data b/integration/testdata/job.data index df7eea8..1244a50 100644 --- a/integration/testdata/job.data +++ b/integration/testdata/job.data @@ -29,8 +29,8 @@ [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) -[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) -[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored) +[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored) +[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored) [FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored) [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) @@ -92,10 +92,10 @@ [WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored) [INFO] 1.7 PodSecurityPolicies [WARN] 1.7.1 Do not admit privileged containers (Not Scored) -[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored) -[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored) -[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored) -[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored) +[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored) +[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored) +[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored) +[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored) [WARN] 1.7.6 Do not admit root containers (Not Scored) [WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored) @@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube- on the master node and set the client certificate authority file. --client-ca-file= -1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml -on the master node and set the below parameter. ---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 - -1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the +1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate authority file parameter. --etcd-cafile= +1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml +on the master node and set the below parameter. +--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 + 1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.