diff --git a/cfg/1.6/federated.yaml b/cfg/1.6/federated.yaml index c0e1021..c6b928b 100644 --- a/cfg/1.6/federated.yaml +++ b/cfg/1.6/federated.yaml @@ -2,14 +2,14 @@ controls: version: 1.6 id: 3 -text: "Federated Deployments" +description: "Federated Deployments" type: "federated" groups: - id: 3.1 - text: "Federation API Server" + description: "Federation API Server" checks: - id: 3.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 3.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -35,7 +35,7 @@ groups: scored: true - id: 3.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -46,7 +46,7 @@ groups: scored: true - id: 3.1.4 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -57,7 +57,7 @@ groups: scored: true - id: 3.1.5 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -71,7 +71,7 @@ groups: scored: true - id: 3.1.6 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: or @@ -88,7 +88,7 @@ groups: scored: true - id: 3.1.7 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -102,7 +102,7 @@ groups: score: true - id: 3.1.8 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -117,7 +117,7 @@ groups: scored: true - id: 3.1.9 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -131,7 +131,7 @@ groups: scored: true - id: 3.1.10 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -142,7 +142,7 @@ groups: scored: true - id: 3.1.11 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -156,7 +156,7 @@ groups: scored: true - id: 3.1.12 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -170,7 +170,7 @@ groups: scored: true - id: 3.1.13 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -184,7 +184,7 @@ groups: scored: true - id: 3.1.14 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -198,7 +198,7 @@ groups: scored: true - id: 3.1.15 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -210,7 +210,7 @@ groups: scored: true - id: 3.1.16 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -224,7 +224,7 @@ groups: scored: true - id: 3.1.17 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -235,7 +235,7 @@ groups: scored: true - id: 3.1.18 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and @@ -252,7 +252,7 @@ groups: scored: true - id: 3.1.19 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and @@ -268,10 +268,10 @@ groups: scored: true - id: 3.2 - text: "Federation Controller Manager" + description: "Federation Controller Manager" checks: - id: 3.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" tests: test_items: diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml index 1db170f..516b82e 100644 --- a/cfg/1.6/master.yaml +++ b/cfg/1.6/master.yaml @@ -2,14 +2,14 @@ controls: version: 1.6 id: 1 -text: "Master Node Security Configuration" +description: "Master Node Security Configuration" type: "master" groups: - id: 1.1 - text: "API Server" + description: "API Server" checks: - id: 1.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" + description: "Ensure that the --allow-privileged argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 1.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -37,7 +37,7 @@ groups: scored: true - id: 1.1.3 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -50,7 +50,7 @@ groups: scored: true - id: 1.1.4 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -61,7 +61,7 @@ groups: scored: true - id: 1.1.5 - text: "Ensure that the --kubelet-https argument is set to true (Scored)" + description: "Ensure that the --kubelet-https argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -78,7 +78,7 @@ groups: scored: true - id: 1.1.6 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -89,7 +89,7 @@ groups: scored: true - id: 1.1.7 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -103,7 +103,7 @@ groups: scored: true - id: 1.1.8 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -121,7 +121,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -135,7 +135,7 @@ groups: scored: true - id: 1.1.10 - text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" + description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -149,7 +149,7 @@ groups: scored: true - id: 1.1.11 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -163,7 +163,7 @@ groups: scored: true - id: 1.1.12 - text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" + description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -177,7 +177,7 @@ groups: scored: true - id: 1.1.13 - text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" + description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -191,7 +191,7 @@ groups: scored: true - id: 1.1.14 - text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" + description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -205,7 +205,7 @@ groups: scored: true - id: 1.1.15 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -219,7 +219,7 @@ groups: scored: true - id: 1.1.16 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -230,7 +230,7 @@ groups: scored: true - id: 1.1.17 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -244,7 +244,7 @@ groups: scored: true - id: 1.1.18 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -258,7 +258,7 @@ groups: scored: true - id: 1.1.19 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -272,7 +272,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -286,7 +286,7 @@ groups: scored: true - id: 1.1.21 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -298,7 +298,7 @@ groups: scored: true - id: 1.1.22 - text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" + description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -311,7 +311,7 @@ groups: scored: true - id: 1.1.23 - text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" + description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -327,7 +327,7 @@ groups: scored: true - id: 1.1.24 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -341,7 +341,7 @@ groups: scored: true - id: 1.1.25 - text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" + description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -356,7 +356,7 @@ groups: scored: true - id: 1.1.26 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -367,7 +367,7 @@ groups: scored: true - id: 1.1.27 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -383,7 +383,7 @@ groups: scored: true - id: 1.1.28 - text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" + description: "Ensure that the admission control policy is set to ServiceAccount (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -398,7 +398,7 @@ groups: scored: true - id: 1.1.29 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -414,7 +414,7 @@ groups: scored: true - id: 1.1.30 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -426,7 +426,7 @@ groups: scored: true - id: 1.1.31 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -438,10 +438,10 @@ groups: scored: true - id: 1.2 - text: "Scheduler" + description: "Scheduler" checks: - id: 1.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: @@ -455,10 +455,10 @@ groups: scored: true - id: 1.3 - text: "Controller Manager" + description: "Controller Manager" checks: - id: 1.3.1 - text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -469,7 +469,7 @@ groups: scored: true - id: 1.3.2 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -483,7 +483,7 @@ groups: scored: true - id: 1.3.3 - text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)" + description: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -495,7 +495,7 @@ groups: scored: true - id: 1.3.4 - text: "Ensure that the --use-service-account-credentials argument is set" + description: "Ensure that the --use-service-account-credentials argument is set" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -509,7 +509,7 @@ groups: scored: true - id: 1.3.5 - text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -520,7 +520,7 @@ groups: scored: true - id: 1.3.6 - text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -531,10 +531,10 @@ groups: scored: true - id: 1.4 - text: "Configure Files" + description: "Configure Files" checks: - id: 1.4.1 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: @@ -560,7 +560,7 @@ groups: scored: true - id: 1.4.2 - text: "Ensure that the apiserver file ownership is set to root:root (Scored)" + description: "Ensure that the apiserver file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: test_items: @@ -574,7 +574,7 @@ groups: scored: true - id: 1.4.3 - text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: bin_op: or @@ -599,7 +599,7 @@ groups: scored: true - id: 1.4.4 - text: "Ensure that the config file ownership is set to root:root (Scored)" + description: "Ensure that the config file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" tests: test_items: @@ -613,7 +613,7 @@ groups: scored: true - id: 1.4.5 - text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: bin_op: or @@ -638,7 +638,7 @@ groups: scored: true - id: 1.4.6 - text: "Ensure that the scheduler file ownership is set to root:root (Scored)" + description: "Ensure that the scheduler file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: @@ -652,7 +652,7 @@ groups: scored: true - id: 1.4.7 - text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: bin_op: or @@ -677,7 +677,7 @@ groups: scored: true - id: 1.4.8 - text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" + description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: test_items: @@ -691,7 +691,7 @@ groups: scored: true - id: 1.4.9 - text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: bin_op: or @@ -716,7 +716,7 @@ groups: scored: true - id: 1.4.10 - text: "Ensure that the flanneld file ownership is set to root:root (Scored)" + description: "Ensure that the flanneld file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" tests: test_items: @@ -730,7 +730,7 @@ groups: scored: true - id: 1.4.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" + description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: @@ -747,7 +747,7 @@ groups: scored: true - id: 1.4.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: @@ -761,10 +761,10 @@ groups: scored: true - id: 1.5 - text: "etcd" + description: "etcd" checks: - id: 1.5.1 - text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -776,7 +776,7 @@ groups: scored: true - id: 1.5.2 - text: "Ensure that the --client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -792,7 +792,7 @@ groups: scored: true - id: 1.5.3 - text: "Ensure that the --auto-tls argument is not set to true (Scored)" + description: "Ensure that the --auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -810,7 +810,7 @@ groups: scored: true - id: 1.5.4 - text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -825,7 +825,7 @@ groups: scored: true - id: 1.5.5 - text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -843,7 +843,7 @@ groups: scored: true - id: 1.5.6 - text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" + description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -864,7 +864,7 @@ groups: scored: true - id: 1.5.7 - text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" + description: "Ensure that the --wal-dir argument is set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -877,7 +877,7 @@ groups: scored: true - id: 1.5.8 - text: "Ensure that the --max-wals argument is set to 0 (Scored)" + description: "Ensure that the --max-wals argument is set to 0 (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -893,7 +893,7 @@ groups: scored: true - id: 1.5.9 - text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" + description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -904,16 +904,16 @@ groups: scored: false - id: 1.6 - text: "General Security Primitives" + description: "General Security Primitives" checks: - id: 1.6.1 - text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + description: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" scored: false - id: 1.6.2 - text: "Create Pod Security Policies for your cluster (Not Scored)" + description: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the @@ -921,27 +921,27 @@ groups: scored: false - id: 1.6.3 - text: "Create administrative boundaries between resources using namespaces (Not Scored)" + description: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: "Follow the documentation and create namespaces for objects in your deployment as you need them." scored: false - id: 1.6.4 - text: "Create network segmentation using Network Policies (Not Scored)" + description: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: "Follow the documentation and create NetworkPolicy objects as you need them." scored: false - id: 1.6.5 - text: "Avoid using Kubernetes Secrets (Not Scored)" + description: "Avoid using Kubernetes Secrets (Not Scored)" type: "manual" remediation: "Use other mechanisms such as vaults to manage your cluster secrets." scored: false - id: 1.6.6 - text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" + description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing \"--feature- @@ -952,7 +952,7 @@ groups: scored: false - id: 1.6.7 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + description: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker @@ -960,7 +960,7 @@ groups: scored: false - id: 1.6.8 - text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: "Follow the Kubernetes documentation and setup image provenance." scored: false diff --git a/cfg/1.6/node.yaml b/cfg/1.6/node.yaml index 9344724..b1371c7 100644 --- a/cfg/1.6/node.yaml +++ b/cfg/1.6/node.yaml @@ -2,14 +2,14 @@ controls: version: 1.6 id: 2 -text: "Worker Node Security Configuration" +description: "Worker Node Security Configuration" type: "node" groups: - id: 2.1 - text: "Kubelet" + description: "Kubelet" checks: - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" + description: "Ensure that the --allow-privileged argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 2.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -37,7 +37,7 @@ groups: scored: true - id: 2.1.3 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -51,7 +51,7 @@ groups: scored: true - id: 2.1.4 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -63,7 +63,7 @@ groups: scored: true - id: 2.1.5 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + description: "Ensure that the --read-only-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -77,7 +77,7 @@ groups: scored: true - id: 2.1.6 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -91,7 +91,7 @@ groups: scored: true - id: 2.1.7 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -105,7 +105,7 @@ groups: scored: true - id: 2.1.8 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: bin_op: or @@ -122,7 +122,7 @@ groups: scored: true - id: 2.1.9 - text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -136,7 +136,7 @@ groups: scored: true - id: 2.1.10 - text: "Ensure that the --hostname-override argument is not set (Scored)" + description: "Ensure that the --hostname-override argument is not set (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -147,7 +147,7 @@ groups: scored: true - id: 2.1.11 - text: "Ensure that the --event-qps argument is set to 0 (Scored)" + description: "Ensure that the --event-qps argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -161,7 +161,7 @@ groups: scored: true - id: 2.1.12 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -176,7 +176,7 @@ groups: scored: true - id: 2.1.13 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -190,10 +190,10 @@ groups: scored: true - id: 2.2 - text: "Configuration Files" + description: "Configuration Files" checks: - id: 2.2.1 - text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" tests: bin_op: or @@ -218,7 +218,7 @@ groups: scored: true - id: 2.2.2 - text: "Ensure that the config file ownership is set to root:root (Scored)" + description: "Ensure that the config file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" tests: test_items: @@ -232,7 +232,7 @@ groups: scored: true - id: 2.2.3 - text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or @@ -257,7 +257,7 @@ groups: scored: true - id: 2.2.4 - text: "Ensure that the kubelet file ownership is set to root:root (Scored)" + description: "Ensure that the kubelet file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: @@ -268,7 +268,7 @@ groups: scored: true - id: 2.2.5 - text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: bin_op: or @@ -293,7 +293,7 @@ groups: scored: true - id: 2.2.6 - text: "Ensure that the proxy file ownership is set to root:root (Scored)" + description: "Ensure that the proxy file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" tests: test_items: diff --git a/cfg/1.7/federated.yaml b/cfg/1.7/federated.yaml index 0c27dc1..ef1ac8f 100644 --- a/cfg/1.7/federated.yaml +++ b/cfg/1.7/federated.yaml @@ -2,14 +2,14 @@ controls: version: 1.7 id: 3 -text: "Federated Deployments" +description: "Federated Deployments" type: "federated" groups: - id: 3.1 - text: "Federation API Server" + description: "Federation API Server" checks: - id: 3.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 3.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -35,7 +35,7 @@ groups: scored: true - id: 3.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -46,7 +46,7 @@ groups: scored: true - id: 3.1.4 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -57,7 +57,7 @@ groups: scored: true - id: 3.1.5 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -71,7 +71,7 @@ groups: scored: true - id: 3.1.6 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: or @@ -88,7 +88,7 @@ groups: scored: true - id: 3.1.7 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -102,7 +102,7 @@ groups: score: true - id: 3.1.8 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -117,7 +117,7 @@ groups: scored: true - id: 3.1.9 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -131,7 +131,7 @@ groups: scored: true - id: 3.1.10 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -142,7 +142,7 @@ groups: scored: true - id: 3.1.11 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -156,7 +156,7 @@ groups: scored: true - id: 3.1.12 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -170,7 +170,7 @@ groups: scored: true - id: 3.1.13 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -184,7 +184,7 @@ groups: scored: true - id: 3.1.14 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -198,7 +198,7 @@ groups: scored: true - id: 3.1.15 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -210,7 +210,7 @@ groups: scored: true - id: 3.1.16 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -224,7 +224,7 @@ groups: scored: true - id: 3.1.17 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -235,7 +235,7 @@ groups: scored: true - id: 3.1.18 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and @@ -252,7 +252,7 @@ groups: scored: true - id: 3.1.19 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and @@ -268,10 +268,10 @@ groups: scored: true - id: 3.2 - text: "Federation Controller Manager" + description: "Federation Controller Manager" checks: - id: 3.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" tests: test_items: diff --git a/cfg/1.7/master.yaml b/cfg/1.7/master.yaml index fa35e39..6796e7b 100644 --- a/cfg/1.7/master.yaml +++ b/cfg/1.7/master.yaml @@ -2,14 +2,14 @@ controls: version: 1.7 id: 1 -text: "Master Node Security Configuration" +description: "Master Node Security Configuration" type: "master" groups: - id: 1.1 - text: "API Server" + description: "API Server" checks: - id: 1.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" + description: "Ensure that the --allow-privileged argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 1.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -37,7 +37,7 @@ groups: scored: true - id: 1.1.3 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -50,7 +50,7 @@ groups: scored: true - id: 1.1.4 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -61,7 +61,7 @@ groups: scored: true - id: 1.1.5 - text: "Ensure that the --kubelet-https argument is set to true (Scored)" + description: "Ensure that the --kubelet-https argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -78,7 +78,7 @@ groups: scored: true - id: 1.1.6 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -89,7 +89,7 @@ groups: scored: true - id: 1.1.7 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -103,7 +103,7 @@ groups: scored: true - id: 1.1.8 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -121,7 +121,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -135,7 +135,7 @@ groups: scored: true - id: 1.1.10 - text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" + description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -149,7 +149,7 @@ groups: scored: true - id: 1.1.11 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -163,7 +163,7 @@ groups: scored: true - id: 1.1.12 - text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" + description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -177,7 +177,7 @@ groups: scored: true - id: 1.1.13 - text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" + description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -191,7 +191,7 @@ groups: scored: true - id: 1.1.14 - text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" + description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -205,7 +205,7 @@ groups: scored: true - id: 1.1.15 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -219,7 +219,7 @@ groups: scored: true - id: 1.1.16 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -230,7 +230,7 @@ groups: scored: true - id: 1.1.17 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -244,7 +244,7 @@ groups: scored: true - id: 1.1.18 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -258,7 +258,7 @@ groups: scored: true - id: 1.1.19 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -272,7 +272,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -286,7 +286,7 @@ groups: scored: true - id: 1.1.21 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -298,7 +298,7 @@ groups: scored: true - id: 1.1.22 - text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" + description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -311,7 +311,7 @@ groups: scored: true - id: 1.1.23 - text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" + description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -327,7 +327,7 @@ groups: scored: true - id: 1.1.24 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -341,7 +341,7 @@ groups: scored: true - id: 1.1.25 - text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" + description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -356,7 +356,7 @@ groups: scored: true - id: 1.1.26 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -367,7 +367,7 @@ groups: scored: true - id: 1.1.27 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -383,7 +383,7 @@ groups: scored: true - id: 1.1.28 - text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" + description: "Ensure that the admission control policy is set to ServiceAccount (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -398,7 +398,7 @@ groups: scored: true - id: 1.1.29 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and @@ -414,7 +414,7 @@ groups: scored: true - id: 1.1.30 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -426,7 +426,7 @@ groups: scored: true - id: 1.1.31 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -438,7 +438,7 @@ groups: scored: true - id: 1.1.32 - text: "Ensure that the --authorization-mode argument is set to Node (Scored)" + description: "Ensure that the --authorization-mode argument is set to Node (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -454,7 +454,7 @@ groups: scored: true - id: 1.1.33 - text: "Ensure that the admission control policy is set to NodeRestriction (Scored)" + description: "Ensure that the admission control policy is set to NodeRestriction (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -469,7 +469,7 @@ groups: scored: true - id: 1.1.34 - text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" + description: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -481,7 +481,7 @@ groups: scored: true - id: 1.1.35 - text: "Ensure that the encryption provider is set to aescbc (Scored)" + description: "Ensure that the encryption provider is set to aescbc (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, @@ -489,10 +489,10 @@ groups: scored: true - id: 1.2 - text: "Scheduler" + description: "Scheduler" checks: - id: 1.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: @@ -506,10 +506,10 @@ groups: scored: true - id: 1.3 - text: "Controller Manager" + description: "Controller Manager" checks: - id: 1.3.1 - text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -520,7 +520,7 @@ groups: scored: true - id: 1.3.2 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -534,7 +534,7 @@ groups: scored: true - id: 1.3.3 - text: "Ensure that the --use-service-account-credentials argument is set" + description: "Ensure that the --use-service-account-credentials argument is set" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -548,7 +548,7 @@ groups: scored: true - id: 1.3.4 - text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -559,7 +559,7 @@ groups: scored: true - id: 1.3.5 - text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -570,7 +570,7 @@ groups: scored: true - id: 1.3.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + description: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include @@ -578,7 +578,7 @@ groups: scored: false - id: 1.3.7 - text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" + description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -593,10 +593,10 @@ groups: scored: true - id: 1.4 - text: "Configure Files" + description: "Configure Files" checks: - id: 1.4.1 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: @@ -622,7 +622,7 @@ groups: scored: true - id: 1.4.2 - text: "Ensure that the apiserver file ownership is set to root:root (Scored)" + description: "Ensure that the apiserver file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: test_items: @@ -636,7 +636,7 @@ groups: scored: true - id: 1.4.3 - text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" tests: bin_op: or @@ -661,7 +661,7 @@ groups: scored: true - id: 1.4.4 - text: "Ensure that the config file ownership is set to root:root (Scored)" + description: "Ensure that the config file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" tests: test_items: @@ -675,7 +675,7 @@ groups: scored: true - id: 1.4.5 - text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: bin_op: or @@ -700,7 +700,7 @@ groups: scored: true - id: 1.4.6 - text: "Ensure that the scheduler file ownership is set to root:root (Scored)" + description: "Ensure that the scheduler file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: @@ -714,7 +714,7 @@ groups: scored: true - id: 1.4.7 - text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: bin_op: or @@ -739,7 +739,7 @@ groups: scored: true - id: 1.4.8 - text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" + description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: test_items: @@ -753,7 +753,7 @@ groups: scored: true - id: 1.4.9 - text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" tests: bin_op: or @@ -778,7 +778,7 @@ groups: scored: true - id: 1.4.10 - text: "Ensure that the flanneld file ownership is set to root:root (Scored)" + description: "Ensure that the flanneld file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" tests: test_items: @@ -792,7 +792,7 @@ groups: scored: true - id: 1.4.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" + description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: @@ -809,7 +809,7 @@ groups: scored: true - id: 1.4.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: @@ -823,10 +823,10 @@ groups: scored: true - id: 1.5 - text: "etcd" + description: "etcd" checks: - id: 1.5.1 - text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -838,7 +838,7 @@ groups: scored: true - id: 1.5.2 - text: "Ensure that the --client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -854,7 +854,7 @@ groups: scored: true - id: 1.5.3 - text: "Ensure that the --auto-tls argument is not set to true (Scored)" + description: "Ensure that the --auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -872,7 +872,7 @@ groups: scored: true - id: 1.5.4 - text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -887,7 +887,7 @@ groups: scored: true - id: 1.5.5 - text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -905,7 +905,7 @@ groups: scored: true - id: 1.5.6 - text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" + description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -926,7 +926,7 @@ groups: scored: true - id: 1.5.7 - text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" + description: "Ensure that the --wal-dir argument is set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -939,7 +939,7 @@ groups: scored: true - id: 1.5.8 - text: "Ensure that the --max-wals argument is set to 0 (Scored)" + description: "Ensure that the --max-wals argument is set to 0 (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -955,7 +955,7 @@ groups: scored: true - id: 1.5.9 - text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" + description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -966,16 +966,16 @@ groups: scored: false - id: 1.6 - text: "General Security Primitives" + description: "General Security Primitives" checks: - id: 1.6.1 - text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + description: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" scored: false - id: 1.6.2 - text: "Create Pod Security Policies for your cluster (Not Scored)" + description: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the @@ -983,20 +983,20 @@ groups: scored: false - id: 1.6.3 - text: "Create administrative boundaries between resources using namespaces (Not Scored)" + description: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: "Follow the documentation and create namespaces for objects in your deployment as you need them." scored: false - id: 1.6.4 - text: "Create network segmentation using Network Policies (Not Scored)" + description: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: "Follow the documentation and create NetworkPolicy objects as you need them." scored: false - id: 1.6.5 - text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" + description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing \"--feature- @@ -1007,7 +1007,7 @@ groups: scored: false - id: 1.6.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + description: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker @@ -1015,13 +1015,13 @@ groups: scored: false - id: 1.6.7 - text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: "Follow the Kubernetes documentation and setup image provenance." scored: false - id: 1.6.8 - text: "Configure Network policies as appropriate (Not Scored)" + description: "Configure Network policies as appropriate (Not Scored)" type: "manual" remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." scored: false diff --git a/cfg/1.7/node.yaml b/cfg/1.7/node.yaml index de0f8b5..a774c62 100644 --- a/cfg/1.7/node.yaml +++ b/cfg/1.7/node.yaml @@ -2,14 +2,14 @@ controls: version: 1.7 id: 2 -text: "Worker Node Security Configuration" +description: "Worker Node Security Configuration" type: "node" groups: - id: 2.1 - text: "Kubelet" + description: "Kubelet" checks: - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" + description: "Ensure that the --allow-privileged argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -23,7 +23,7 @@ groups: scored: true - id: 2.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -37,7 +37,7 @@ groups: scored: true - id: 2.1.3 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -51,7 +51,7 @@ groups: scored: true - id: 2.1.4 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -63,7 +63,7 @@ groups: scored: true - id: 2.1.5 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + description: "Ensure that the --read-only-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -77,7 +77,7 @@ groups: scored: true - id: 2.1.6 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: bin_op: or @@ -92,7 +92,7 @@ groups: scored: true - id: 2.1.7 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -106,7 +106,7 @@ groups: scored: true - id: 2.1.8 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: bin_op: or @@ -123,7 +123,7 @@ groups: scored: true - id: 2.1.9 - text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -137,7 +137,7 @@ groups: scored: true - id: 2.1.10 - text: "Ensure that the --hostname-override argument is not set (Scored)" + description: "Ensure that the --hostname-override argument is not set (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -148,7 +148,7 @@ groups: scored: true - id: 2.1.11 - text: "Ensure that the --event-qps argument is set to 0 (Scored)" + description: "Ensure that the --event-qps argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -162,7 +162,7 @@ groups: scored: true - id: 2.1.12 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -177,7 +177,7 @@ groups: scored: true - id: 2.1.13 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -191,7 +191,7 @@ groups: scored: true - id: 2.1.14 - text: "Ensure that the RotateKubeletClientCertificate argument is set to true" + description: "Ensure that the RotateKubeletClientCertificate argument is set to true" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -205,7 +205,7 @@ groups: scored: true - id: 2.1.15 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true" + description: "Ensure that the RotateKubeletServerCertificate argument is set to true" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -219,10 +219,10 @@ groups: scored: true - id: 2.2 - text: "Configuration Files" + description: "Configuration Files" checks: - id: 2.2.1 - text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" tests: bin_op: or @@ -247,7 +247,7 @@ groups: scored: true - id: 2.2.2 - text: "Ensure that the config file ownership is set to root:root (Scored)" + description: "Ensure that the config file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" tests: test_items: @@ -261,7 +261,7 @@ groups: scored: true - id: 2.2.3 - text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or @@ -286,7 +286,7 @@ groups: scored: true - id: 2.2.4 - text: "Ensure that the kubelet file ownership is set to root:root (Scored)" + description: "Ensure that the kubelet file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: @@ -297,7 +297,7 @@ groups: scored: true - id: 2.2.5 - text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" + description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: bin_op: or @@ -322,7 +322,7 @@ groups: scored: true - id: 2.2.6 - text: "Ensure that the proxy file ownership is set to root:root (Scored)" + description: "Ensure that the proxy file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" tests: test_items: @@ -333,7 +333,7 @@ groups: scored: true - id: 2.2.7 - text: "Ensure that the certificate authorities file permissions are set to + description: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" tests: @@ -359,7 +359,7 @@ groups: scored: true - id: 2.2.8 - text: "Ensure that the client certificate authorities file ownership is set to root:root" + description: "Ensure that the client certificate authorities file ownership is set to root:root" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" tests: test_items: diff --git a/cfg/1.8/federated.yaml b/cfg/1.8/federated.yaml index 9b62eed..8afbc61 100644 --- a/cfg/1.8/federated.yaml +++ b/cfg/1.8/federated.yaml @@ -2,14 +2,14 @@ controls: version: 1.8 id: 3 -text: "Federated Deployments" +description: "Federated Deployments" type: "federated" groups: - id: 3.1 - text: "Federation API Server" + description: "Federation API Server" checks: - id: 3.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -24,7 +24,7 @@ groups: scored: true - id: 3.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -37,7 +37,7 @@ groups: scored: true - id: 3.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -49,7 +49,7 @@ groups: scored: true - id: 3.1.4 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -61,7 +61,7 @@ groups: scored: true - id: 3.1.5 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -76,7 +76,7 @@ groups: scored: true - id: 3.1.6 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: or @@ -94,7 +94,7 @@ groups: scored: true - id: 3.1.7 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -109,7 +109,7 @@ groups: score: true - id: 3.1.8 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -125,7 +125,7 @@ groups: scored: true - id: 3.1.9 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -141,7 +141,7 @@ groups: scored: true - id: 3.1.10 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -152,7 +152,7 @@ groups: scored: true - id: 3.1.11 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -167,7 +167,7 @@ groups: scored: true - id: 3.1.12 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -182,7 +182,7 @@ groups: scored: true - id: 3.1.13 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -197,7 +197,7 @@ groups: scored: true - id: 3.1.14 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -213,7 +213,7 @@ groups: scored: true - id: 3.1.15 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -226,7 +226,7 @@ groups: scored: true - id: 3.1.16 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -241,7 +241,7 @@ groups: scored: true - id: 3.1.17 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: @@ -253,7 +253,7 @@ groups: scored: true - id: 3.1.18 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: @@ -272,7 +272,7 @@ groups: scored: true - id: 3.1.19 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: @@ -291,10 +291,10 @@ groups: scored: true - id: 3.2 - text: "Federation Controller Manager" + description: "Federation Controller Manager" checks: - id: 3.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" tests: test_items: diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index f52ed96..a64bb11 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -2,14 +2,14 @@ controls: version: 1.8 id: 1 -text: "Master Node Security Configuration" +description: "Master Node Security Configuration" type: "master" groups: - id: 1.1 - text: "API Server" + description: "API Server" checks: - id: 1.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -26,7 +26,7 @@ groups: scored: true - id: 1.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" + description: "Ensure that the --basic-auth-file argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -40,7 +40,7 @@ groups: scored: true - id: 1.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -53,7 +53,7 @@ groups: scored: true - id: 1.1.4 - text: "Ensure that the --kubelet-https argument is set to true (Scored)" + description: "Ensure that the --kubelet-https argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -71,7 +71,7 @@ groups: scored: true - id: 1.1.5 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + description: "Ensure that the --insecure-bind-address argument is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -84,7 +84,7 @@ groups: scored: true - id: 1.1.6 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + description: "Ensure that the --insecure-port argument is set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -100,7 +100,7 @@ groups: scored: true - id: 1.1.7 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + description: "Ensure that the --secure-port argument is not set to 0 (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or @@ -119,7 +119,7 @@ groups: scored: true - id: 1.1.8 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -135,7 +135,7 @@ groups: scored: true - id: 1.1.9 - text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" + description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -151,7 +151,7 @@ groups: scored: true - id: 1.1.10 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -167,7 +167,7 @@ groups: scored: true - id: 1.1.11 - text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" + description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -184,7 +184,7 @@ groups: scored: true - id: 1.1.12 - text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" + description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -201,7 +201,7 @@ groups: scored: true - id: 1.1.13 - text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" + description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -218,7 +218,7 @@ groups: scored: true - id: 1.1.14 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -235,7 +235,7 @@ groups: scored: true - id: 1.1.15 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -249,7 +249,7 @@ groups: scored: true - id: 1.1.16 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -266,7 +266,7 @@ groups: scored: true - id: 1.1.17 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -283,7 +283,7 @@ groups: scored: true - id: 1.1.18 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -300,7 +300,7 @@ groups: scored: true - id: 1.1.19 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -317,7 +317,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" + description: "Ensure that the --token-auth-file parameter is not set (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -331,7 +331,7 @@ groups: scored: true - id: 1.1.21 - text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" + description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -347,7 +347,7 @@ groups: scored: true - id: 1.1.22 - text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are + description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: @@ -367,7 +367,7 @@ groups: scored: true - id: 1.1.23 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + description: "Ensure that the --service-account-lookup argument is set to true (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -383,7 +383,7 @@ groups: scored: true - id: 1.1.24 - text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" + description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -403,7 +403,7 @@ groups: scored: true - id: 1.1.25 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -417,7 +417,7 @@ groups: scored: true - id: 1.1.26 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as + description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: @@ -437,7 +437,7 @@ groups: scored: true - id: 1.1.27 - text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" + description: "Ensure that the admission control policy is set to ServiceAccount (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -455,7 +455,7 @@ groups: scored: true - id: 1.1.28 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: @@ -475,7 +475,7 @@ groups: scored: true - id: 1.1.29 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -489,7 +489,7 @@ groups: scored: true - id: 1.1.30 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -504,7 +504,7 @@ groups: scored: true - id: 1.1.31 - text: "Ensure that the --authorization-mode argument is set to Node (Scored)" + description: "Ensure that the --authorization-mode argument is set to Node (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -521,7 +521,7 @@ groups: scored: true - id: 1.1.32 - text: "Ensure that the admission control policy is set to NodeRestriction (Scored)" + description: "Ensure that the admission control policy is set to NodeRestriction (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -539,7 +539,7 @@ groups: scored: true - id: 1.1.33 - text: "Ensure that the --experimental-encryption-provider-config argument is + description: "Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: @@ -555,7 +555,7 @@ groups: scored: true - id: 1.1.34 - text: "Ensure that the encryption provider is set to aescbc (Scored)" + description: "Ensure that the encryption provider is set to aescbc (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | @@ -575,7 +575,7 @@ groups: scored: true - id: 1.1.35 - text: "Ensure that the admission control policy is set to EventRateLimit (Scored)" + description: "Ensure that the admission control policy is set to EventRateLimit (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: @@ -593,7 +593,7 @@ groups: scored: true - id: 1.1.36 - text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" + description: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | @@ -604,7 +604,7 @@ groups: scored: true - id: 1.1.37 - text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" + description: "Ensure that the --request-timeout argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | @@ -614,10 +614,10 @@ groups: scored: true - id: 1.2 - text: "Scheduler" + description: "Scheduler" checks: - id: 1.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: @@ -634,10 +634,10 @@ groups: scored: true - id: 1.3 - text: "Controller Manager" + description: "Controller Manager" checks: - id: 1.3.1 - text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -650,7 +650,7 @@ groups: scored: true - id: 1.3.2 - text: "Ensure that the --profiling argument is set to false (Scored)" + description: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -666,7 +666,7 @@ groups: scored: true - id: 1.3.3 - text: "Ensure that the --use-service-account-credentials argument is set (Scored)" + description: "Ensure that the --use-service-account-credentials argument is set (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -682,7 +682,7 @@ groups: scored: true - id: 1.3.4 - text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" + description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -696,7 +696,7 @@ groups: scored: true - id: 1.3.5 - text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -710,7 +710,7 @@ groups: scored: true - id: 1.3.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + description: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a @@ -719,7 +719,7 @@ groups: scored: false - id: 1.3.7 - text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" + description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: @@ -736,10 +736,10 @@ groups: scored: true - id: 1.4 - text: "Configuration Files" + description: "Configuration Files" checks: - id: 1.4.1 - text: "Ensure that the API server pod specification file permissions are + description: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: @@ -767,7 +767,7 @@ groups: scored: true - id: 1.4.2 - text: "Ensure that the API server pod specification file ownership is set to + description: "Ensure that the API server pod specification file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: @@ -784,7 +784,7 @@ groups: scored: true - id: 1.4.3 - text: "Ensure that the controller manager pod specification file + description: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" tests: @@ -812,7 +812,7 @@ groups: scored: true - id: 1.4.4 - text: "Ensure that the controller manager pod specification file + description: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" tests: @@ -829,7 +829,7 @@ groups: scored: true - id: 1.4.5 - text: "Ensure that the scheduler pod specification file permissions are set + description: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: @@ -857,7 +857,7 @@ groups: scored: true - id: 1.4.6 - text: "Ensure that the scheduler pod specification file ownership is set to + description: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: @@ -874,7 +874,7 @@ groups: scored: true - id: 1.4.7 - text: "Ensure that the etcd pod specification file permissions are set to + description: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: @@ -902,7 +902,7 @@ groups: scored: true - id: 1.4.8 - text: "Ensure that the etcd pod specification file ownership is set to + description: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: @@ -919,7 +919,7 @@ groups: scored: true - id: 1.4.9 - text: "Ensure that the Container Network Interface file permissions are + description: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" audit: "stat -c %a " type: manual @@ -930,7 +930,7 @@ groups: scored: true - id: 1.4.10 - text: "Ensure that the Container Network Interface file ownership is set + description: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" audit: "stat -c %U:%G " type: manual @@ -941,7 +941,7 @@ groups: scored: true - id: 1.4.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" + description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a tests: test_items: @@ -959,7 +959,7 @@ groups: scored: true - id: 1.4.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G tests: test_items: @@ -974,7 +974,7 @@ groups: scored: true - id: 1.4.13 - text: "Ensure that the admin.conf file permissions are set to 644 or + description: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" tests: @@ -1002,7 +1002,7 @@ groups: scored: true - id: 1.4.14 - text: "Ensure that the admin.conf file ownership is set to root:root (Scored)" + description: "Ensure that the admin.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" tests: test_items: @@ -1018,7 +1018,7 @@ groups: scored: true - id: 1.4.15 - text: "Ensure that the scheduler.conf file permissions are set to 644 or + description: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: @@ -1046,7 +1046,7 @@ groups: scored: true - id: 1.4.16 - text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" + description: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: @@ -1062,7 +1062,7 @@ groups: scored: true - id: 1.4.17 - text: "Ensure that the controller-manager.conf file permissions are set + description: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" tests: @@ -1090,7 +1090,7 @@ groups: scored: true - id: 1.4.18 - text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" + description: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" tests: test_items: @@ -1106,10 +1106,10 @@ groups: scored: true - id: 1.5 - text: "etcd" + description: "etcd" checks: - id: 1.5.1 - text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1126,7 +1126,7 @@ groups: scored: true - id: 1.5.2 - text: "Ensure that the --client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1142,7 +1142,7 @@ groups: scored: true - id: 1.5.3 - text: "Ensure that the --auto-tls argument is not set to true (Scored)" + description: "Ensure that the --auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -1160,7 +1160,7 @@ groups: scored: true - id: 1.5.4 - text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set + description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: @@ -1178,7 +1178,7 @@ groups: scored: true - id: 1.5.5 - text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" + description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1194,7 +1194,7 @@ groups: scored: true - id: 1.5.6 - text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" + description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or @@ -1213,7 +1213,7 @@ groups: scored: true - id: 1.5.7 - text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" + description: "Ensure that the --wal-dir argument is set as appropriate (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1226,7 +1226,7 @@ groups: scored: true - id: 1.5.8 - text: "Ensure that the --max-wals argument is set to 0 (Scored)" + description: "Ensure that the --max-wals argument is set to 0 (Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1242,7 +1242,7 @@ groups: scored: true - id: 1.5.9 - text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" + description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: @@ -1257,10 +1257,10 @@ groups: scored: false - id: 1.6 - text: "General Security Primitives" + description: "General Security Primitives" checks: - id: 1.6.1 - text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + description: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: | Remove any unneeded clusterrolebindings : @@ -1268,7 +1268,7 @@ groups: scored: false - id: 1.6.2 - text: "Create Pod Security Policies for your cluster (Not Scored)" + description: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" remediation: | Follow the documentation and create and enforce Pod Security Policies for your cluster. @@ -1277,7 +1277,7 @@ groups: scored: false - id: 1.6.3 - text: "Create administrative boundaries between resources using namespaces (Not Scored)" + description: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: | Follow the documentation and create namespaces for objects in your deployment as you @@ -1285,14 +1285,14 @@ groups: scored: false - id: 1.6.4 - text: "Create network segmentation using Network Policies (Not Scored)" + description: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: | Follow the documentation and create NetworkPolicy objects as you need them. scored: false - id: 1.6.5 - text: "Ensure that the seccomp profile is set to docker/default in your pod + description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" remediation: | @@ -1319,7 +1319,7 @@ groups: scored: false - id: 1.6.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" + description: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | Follow the Kubernetes documentation and apply security contexts to your pods. For a @@ -1328,14 +1328,14 @@ groups: scored: false - id: 1.6.7 - text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: | Follow the Kubernetes documentation and setup image provenance. scored: false - id: 1.6.8 - text: "Configure Network policies as appropriate (Not Scored)" + description: "Configure Network policies as appropriate (Not Scored)" type: "manual" remediation: | Follow the Kubernetes documentation and setup network policies as appropriate. @@ -1350,7 +1350,7 @@ groups: scored: false - id: 1.6.9 - text: "Place compensating controls in the form of PSP and RBAC for + description: "Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)" type: "manual" remediation: | diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index d279c2e..51a84e1 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -2,14 +2,14 @@ controls: version: 1.8 id: 2 -text: "Worker Node Security Configuration" +description: "Worker Node Security Configuration" type: "node" groups: - id: 2.1 - text: "Kubelet" + description: "Kubelet" checks: - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" + description: "Ensure that the --allow-privileged argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -28,7 +28,7 @@ groups: scored: true - id: 2.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + description: "Ensure that the --anonymous-auth argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -47,7 +47,7 @@ groups: scored: true - id: 2.1.3 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -66,7 +66,7 @@ groups: scored: true - id: 2.1.4 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -82,7 +82,7 @@ groups: scored: true - id: 2.1.5 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + description: "Ensure that the --read-only-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -101,7 +101,7 @@ groups: scored: true - id: 2.1.6 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -120,7 +120,7 @@ groups: scored: true - id: 2.1.7 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -139,7 +139,7 @@ groups: scored: true - id: 2.1.8 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: bin_op: or @@ -159,7 +159,7 @@ groups: scored: true - id: 2.1.9 - text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -178,7 +178,7 @@ groups: scored: true - id: 2.1.10 - text: "Ensure that the --hostname-override argument is not set (Scored)" + description: "Ensure that the --hostname-override argument is not set (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -194,7 +194,7 @@ groups: scored: true - id: 2.1.11 - text: "Ensure that the --event-qps argument is set to 0 (Scored)" + description: "Ensure that the --event-qps argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -213,7 +213,7 @@ groups: scored: true - id: 2.1.12 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -235,7 +235,7 @@ groups: scored: true - id: 2.1.13 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -254,7 +254,7 @@ groups: scored: true - id: 2.1.14 - text: "Ensure that the RotateKubeletClientCertificate argument is set to true" + description: "Ensure that the RotateKubeletClientCertificate argument is set to true" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -274,7 +274,7 @@ groups: scored: true - id: 2.1.15 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true" + description: "Ensure that the RotateKubeletServerCertificate argument is set to true" audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: @@ -293,10 +293,10 @@ groups: scored: true - id: 2.2 - text: "Configuration Files" + description: "Configuration Files" checks: - id: 2.2.1 - text: "Ensure that the kubelet.conf file permissions are set to 644 or + description: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: @@ -324,7 +324,7 @@ groups: scored: true - id: 2.2.2 - text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" + description: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: @@ -340,7 +340,7 @@ groups: scored: true - id: 2.2.3 - text: "Ensure that the kubelet service file permissions are set to 644 or + description: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: @@ -368,7 +368,7 @@ groups: scored: true - id: 2.2.4 - text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)" + description: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: @@ -381,7 +381,7 @@ groups: scored: true - id: 2.2.5 - text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more + description: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: @@ -409,7 +409,7 @@ groups: scored: true - id: 2.2.6 - text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" + description: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" tests: test_items: @@ -422,7 +422,7 @@ groups: scored: true - id: 2.2.7 - text: "Ensure that the certificate authorities file permissions are set to + description: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" type: manual remediation: | @@ -431,7 +431,7 @@ groups: scored: true - id: 2.2.8 - text: "Ensure that the client certificate authorities file ownership is set to root:root" + description: "Ensure that the client certificate authorities file ownership is set to root:root" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" type: manual remediation: |