1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-24 15:38:06 +00:00

Fix definitions file to support move to bench-common.

This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2018-08-08 16:59:50 +00:00
parent 5dba85ca47
commit 4bb5039517
9 changed files with 384 additions and 384 deletions

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.6 version: 1.6
id: 3 id: 3
text: "Federated Deployments" description: "Federated Deployments"
type: "federated" type: "federated"
groups: groups:
- id: 3.1 - id: 3.1
text: "Federation API Server" description: "Federation API Server"
checks: checks:
- id: 3.1.1 - id: 3.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 3.1.2 - id: 3.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -35,7 +35,7 @@ groups:
scored: true scored: true
- id: 3.1.3 - id: 3.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -46,7 +46,7 @@ groups:
scored: true scored: true
- id: 3.1.4 - id: 3.1.4
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -57,7 +57,7 @@ groups:
scored: true scored: true
- id: 3.1.5 - id: 3.1.5
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -71,7 +71,7 @@ groups:
scored: true scored: true
- id: 3.1.6 - id: 3.1.6
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -88,7 +88,7 @@ groups:
scored: true scored: true
- id: 3.1.7 - id: 3.1.7
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -102,7 +102,7 @@ groups:
score: true score: true
- id: 3.1.8 - id: 3.1.8
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -117,7 +117,7 @@ groups:
scored: true scored: true
- id: 3.1.9 - id: 3.1.9
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -131,7 +131,7 @@ groups:
scored: true scored: true
- id: 3.1.10 - id: 3.1.10
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -142,7 +142,7 @@ groups:
scored: true scored: true
- id: 3.1.11 - id: 3.1.11
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -156,7 +156,7 @@ groups:
scored: true scored: true
- id: 3.1.12 - id: 3.1.12
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -170,7 +170,7 @@ groups:
scored: true scored: true
- id: 3.1.13 - id: 3.1.13
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -184,7 +184,7 @@ groups:
scored: true scored: true
- id: 3.1.14 - id: 3.1.14
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -198,7 +198,7 @@ groups:
scored: true scored: true
- id: 3.1.15 - id: 3.1.15
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -210,7 +210,7 @@ groups:
scored: true scored: true
- id: 3.1.16 - id: 3.1.16
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -224,7 +224,7 @@ groups:
scored: true scored: true
- id: 3.1.17 - id: 3.1.17
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -235,7 +235,7 @@ groups:
scored: true scored: true
- id: 3.1.18 - id: 3.1.18
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -252,7 +252,7 @@ groups:
scored: true scored: true
- id: 3.1.19 - id: 3.1.19
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -268,10 +268,10 @@ groups:
scored: true scored: true
- id: 3.2 - id: 3.2
text: "Federation Controller Manager" description: "Federation Controller Manager"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.6 version: 1.6
id: 1 id: 1
text: "Master Node Security Configuration" description: "Master Node Security Configuration"
type: "master" type: "master"
groups: groups:
- id: 1.1 - id: 1.1
text: "API Server" description: "API Server"
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" description: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 1.1.2 - id: 1.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -37,7 +37,7 @@ groups:
scored: true scored: true
- id: 1.1.3 - id: 1.1.3
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -50,7 +50,7 @@ groups:
scored: true scored: true
- id: 1.1.4 - id: 1.1.4
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -61,7 +61,7 @@ groups:
scored: true scored: true
- id: 1.1.5 - id: 1.1.5
text: "Ensure that the --kubelet-https argument is set to true (Scored)" description: "Ensure that the --kubelet-https argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -78,7 +78,7 @@ groups:
scored: true scored: true
- id: 1.1.6 - id: 1.1.6
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -89,7 +89,7 @@ groups:
scored: true scored: true
- id: 1.1.7 - id: 1.1.7
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -103,7 +103,7 @@ groups:
scored: true scored: true
- id: 1.1.8 - id: 1.1.8
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -121,7 +121,7 @@ groups:
scored: true scored: true
- id: 1.1.9 - id: 1.1.9
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -135,7 +135,7 @@ groups:
scored: true scored: true
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -149,7 +149,7 @@ groups:
scored: true scored: true
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -163,7 +163,7 @@ groups:
scored: true scored: true
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -177,7 +177,7 @@ groups:
scored: true scored: true
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -191,7 +191,7 @@ groups:
scored: true scored: true
- id: 1.1.14 - id: 1.1.14
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -205,7 +205,7 @@ groups:
scored: true scored: true
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -219,7 +219,7 @@ groups:
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -230,7 +230,7 @@ groups:
scored: true scored: true
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -244,7 +244,7 @@ groups:
scored: true scored: true
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -258,7 +258,7 @@ groups:
scored: true scored: true
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -272,7 +272,7 @@ groups:
scored: true scored: true
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -286,7 +286,7 @@ groups:
scored: true scored: true
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -298,7 +298,7 @@ groups:
scored: true scored: true
- id: 1.1.22 - id: 1.1.22
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -311,7 +311,7 @@ groups:
scored: true scored: true
- id: 1.1.23 - id: 1.1.23
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -327,7 +327,7 @@ groups:
scored: true scored: true
- id: 1.1.24 - id: 1.1.24
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -341,7 +341,7 @@ groups:
scored: true scored: true
- id: 1.1.25 - id: 1.1.25
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -356,7 +356,7 @@ groups:
scored: true scored: true
- id: 1.1.26 - id: 1.1.26
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -367,7 +367,7 @@ groups:
scored: true scored: true
- id: 1.1.27 - id: 1.1.27
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -383,7 +383,7 @@ groups:
scored: true scored: true
- id: 1.1.28 - id: 1.1.28
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -398,7 +398,7 @@ groups:
scored: true scored: true
- id: 1.1.29 - id: 1.1.29
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -414,7 +414,7 @@ groups:
scored: true scored: true
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -426,7 +426,7 @@ groups:
scored: true scored: true
- id: 1.1.31 - id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -438,10 +438,10 @@ groups:
scored: true scored: true
- id: 1.2 - id: 1.2
text: "Scheduler" description: "Scheduler"
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -455,10 +455,10 @@ groups:
scored: true scored: true
- id: 1.3 - id: 1.3
text: "Controller Manager" description: "Controller Manager"
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -469,7 +469,7 @@ groups:
scored: true scored: true
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -483,7 +483,7 @@ groups:
scored: true scored: true
- id: 1.3.3 - id: 1.3.3
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)" description: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -495,7 +495,7 @@ groups:
scored: true scored: true
- id: 1.3.4 - id: 1.3.4
text: "Ensure that the --use-service-account-credentials argument is set" description: "Ensure that the --use-service-account-credentials argument is set"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -509,7 +509,7 @@ groups:
scored: true scored: true
- id: 1.3.5 - id: 1.3.5
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -520,7 +520,7 @@ groups:
scored: true scored: true
- id: 1.3.6 - id: 1.3.6
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -531,10 +531,10 @@ groups:
scored: true scored: true
- id: 1.4 - id: 1.4
text: "Configure Files" description: "Configure Files"
checks: checks:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
@ -560,7 +560,7 @@ groups:
scored: true scored: true
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the apiserver file ownership is set to root:root (Scored)" description: "Ensure that the apiserver file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests: tests:
test_items: test_items:
@ -574,7 +574,7 @@ groups:
scored: true scored: true
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or bin_op: or
@ -599,7 +599,7 @@ groups:
scored: true scored: true
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the config file ownership is set to root:root (Scored)" description: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
tests: tests:
test_items: test_items:
@ -613,7 +613,7 @@ groups:
scored: true scored: true
- id: 1.4.5 - id: 1.4.5
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -638,7 +638,7 @@ groups:
scored: true scored: true
- id: 1.4.6 - id: 1.4.6
text: "Ensure that the scheduler file ownership is set to root:root (Scored)" description: "Ensure that the scheduler file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests: tests:
test_items: test_items:
@ -652,7 +652,7 @@ groups:
scored: true scored: true
- id: 1.4.7 - id: 1.4.7
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -677,7 +677,7 @@ groups:
scored: true scored: true
- id: 1.4.8 - id: 1.4.8
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
tests: tests:
test_items: test_items:
@ -691,7 +691,7 @@ groups:
scored: true scored: true
- id: 1.4.9 - id: 1.4.9
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -716,7 +716,7 @@ groups:
scored: true scored: true
- id: 1.4.10 - id: 1.4.10
text: "Ensure that the flanneld file ownership is set to root:root (Scored)" description: "Ensure that the flanneld file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
tests: tests:
test_items: test_items:
@ -730,7 +730,7 @@ groups:
scored: true scored: true
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
@ -747,7 +747,7 @@ groups:
scored: true scored: true
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
@ -761,10 +761,10 @@ groups:
scored: true scored: true
- id: 1.5 - id: 1.5
text: "etcd" description: "etcd"
checks: checks:
- id: 1.5.1 - id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -776,7 +776,7 @@ groups:
scored: true scored: true
- id: 1.5.2 - id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -792,7 +792,7 @@ groups:
scored: true scored: true
- id: 1.5.3 - id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" description: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -810,7 +810,7 @@ groups:
scored: true scored: true
- id: 1.5.4 - id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -825,7 +825,7 @@ groups:
scored: true scored: true
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -843,7 +843,7 @@ groups:
scored: true scored: true
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -864,7 +864,7 @@ groups:
scored: true scored: true
- id: 1.5.7 - id: 1.5.7
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -877,7 +877,7 @@ groups:
scored: true scored: true
- id: 1.5.8 - id: 1.5.8
text: "Ensure that the --max-wals argument is set to 0 (Scored)" description: "Ensure that the --max-wals argument is set to 0 (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -893,7 +893,7 @@ groups:
scored: true scored: true
- id: 1.5.9 - id: 1.5.9
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -904,16 +904,16 @@ groups:
scored: false scored: false
- id: 1.6 - id: 1.6
text: "General Security Primitives" description: "General Security Primitives"
checks: checks:
- id: 1.6.1 - id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false scored: false
- id: 1.6.2 - id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)" description: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
@ -921,27 +921,27 @@ groups:
scored: false scored: false
- id: 1.6.3 - id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)" description: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them." need them."
scored: false scored: false
- id: 1.6.4 - id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)" description: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them." remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false scored: false
- id: 1.6.5 - id: 1.6.5
text: "Avoid using Kubernetes Secrets (Not Scored)" description: "Avoid using Kubernetes Secrets (Not Scored)"
type: "manual" type: "manual"
remediation: "Use other mechanisms such as vaults to manage your cluster secrets." remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
scored: false scored: false
- id: 1.6.6 - id: 1.6.6
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature- would need to enable alpha features in the apiserver by passing \"--feature-
@ -952,7 +952,7 @@ groups:
scored: false scored: false
- id: 1.6.7 - id: 1.6.7
text: "Apply Security Context to Your Pods and Containers (Not Scored)" description: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
@ -960,7 +960,7 @@ groups:
scored: false scored: false
- id: 1.6.8 - id: 1.6.8
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance." remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false scored: false

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.6 version: 1.6
id: 2 id: 2
text: "Worker Node Security Configuration" description: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: 2.1
text: "Kubelet" description: "Kubelet"
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" description: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -37,7 +37,7 @@ groups:
scored: true scored: true
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -51,7 +51,7 @@ groups:
scored: true scored: true
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -63,7 +63,7 @@ groups:
scored: true scored: true
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -77,7 +77,7 @@ groups:
scored: true scored: true
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -91,7 +91,7 @@ groups:
scored: true scored: true
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -105,7 +105,7 @@ groups:
scored: true scored: true
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -122,7 +122,7 @@ groups:
scored: true scored: true
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -136,7 +136,7 @@ groups:
scored: true scored: true
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)" description: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -147,7 +147,7 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" description: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -161,7 +161,7 @@ groups:
scored: true scored: true
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -176,7 +176,7 @@ groups:
scored: true scored: true
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -190,10 +190,10 @@ groups:
scored: true scored: true
- id: 2.2 - id: 2.2
text: "Configuration Files" description: "Configuration Files"
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or bin_op: or
@ -218,7 +218,7 @@ groups:
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the config file ownership is set to root:root (Scored)" description: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
tests: tests:
test_items: test_items:
@ -232,7 +232,7 @@ groups:
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -257,7 +257,7 @@ groups:
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet file ownership is set to root:root (Scored)" description: "Ensure that the kubelet file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
@ -268,7 +268,7 @@ groups:
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -293,7 +293,7 @@ groups:
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy file ownership is set to root:root (Scored)" description: "Ensure that the proxy file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
tests: tests:
test_items: test_items:

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.7 version: 1.7
id: 3 id: 3
text: "Federated Deployments" description: "Federated Deployments"
type: "federated" type: "federated"
groups: groups:
- id: 3.1 - id: 3.1
text: "Federation API Server" description: "Federation API Server"
checks: checks:
- id: 3.1.1 - id: 3.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 3.1.2 - id: 3.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -35,7 +35,7 @@ groups:
scored: true scored: true
- id: 3.1.3 - id: 3.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -46,7 +46,7 @@ groups:
scored: true scored: true
- id: 3.1.4 - id: 3.1.4
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -57,7 +57,7 @@ groups:
scored: true scored: true
- id: 3.1.5 - id: 3.1.5
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -71,7 +71,7 @@ groups:
scored: true scored: true
- id: 3.1.6 - id: 3.1.6
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -88,7 +88,7 @@ groups:
scored: true scored: true
- id: 3.1.7 - id: 3.1.7
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -102,7 +102,7 @@ groups:
score: true score: true
- id: 3.1.8 - id: 3.1.8
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -117,7 +117,7 @@ groups:
scored: true scored: true
- id: 3.1.9 - id: 3.1.9
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -131,7 +131,7 @@ groups:
scored: true scored: true
- id: 3.1.10 - id: 3.1.10
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -142,7 +142,7 @@ groups:
scored: true scored: true
- id: 3.1.11 - id: 3.1.11
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -156,7 +156,7 @@ groups:
scored: true scored: true
- id: 3.1.12 - id: 3.1.12
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -170,7 +170,7 @@ groups:
scored: true scored: true
- id: 3.1.13 - id: 3.1.13
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -184,7 +184,7 @@ groups:
scored: true scored: true
- id: 3.1.14 - id: 3.1.14
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -198,7 +198,7 @@ groups:
scored: true scored: true
- id: 3.1.15 - id: 3.1.15
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -210,7 +210,7 @@ groups:
scored: true scored: true
- id: 3.1.16 - id: 3.1.16
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -224,7 +224,7 @@ groups:
scored: true scored: true
- id: 3.1.17 - id: 3.1.17
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -235,7 +235,7 @@ groups:
scored: true scored: true
- id: 3.1.18 - id: 3.1.18
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -252,7 +252,7 @@ groups:
scored: true scored: true
- id: 3.1.19 - id: 3.1.19
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -268,10 +268,10 @@ groups:
scored: true scored: true
- id: 3.2 - id: 3.2
text: "Federation Controller Manager" description: "Federation Controller Manager"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.7 version: 1.7
id: 1 id: 1
text: "Master Node Security Configuration" description: "Master Node Security Configuration"
type: "master" type: "master"
groups: groups:
- id: 1.1 - id: 1.1
text: "API Server" description: "API Server"
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" description: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 1.1.2 - id: 1.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -37,7 +37,7 @@ groups:
scored: true scored: true
- id: 1.1.3 - id: 1.1.3
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -50,7 +50,7 @@ groups:
scored: true scored: true
- id: 1.1.4 - id: 1.1.4
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -61,7 +61,7 @@ groups:
scored: true scored: true
- id: 1.1.5 - id: 1.1.5
text: "Ensure that the --kubelet-https argument is set to true (Scored)" description: "Ensure that the --kubelet-https argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -78,7 +78,7 @@ groups:
scored: true scored: true
- id: 1.1.6 - id: 1.1.6
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -89,7 +89,7 @@ groups:
scored: true scored: true
- id: 1.1.7 - id: 1.1.7
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -103,7 +103,7 @@ groups:
scored: true scored: true
- id: 1.1.8 - id: 1.1.8
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -121,7 +121,7 @@ groups:
scored: true scored: true
- id: 1.1.9 - id: 1.1.9
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -135,7 +135,7 @@ groups:
scored: true scored: true
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -149,7 +149,7 @@ groups:
scored: true scored: true
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -163,7 +163,7 @@ groups:
scored: true scored: true
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -177,7 +177,7 @@ groups:
scored: true scored: true
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -191,7 +191,7 @@ groups:
scored: true scored: true
- id: 1.1.14 - id: 1.1.14
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -205,7 +205,7 @@ groups:
scored: true scored: true
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -219,7 +219,7 @@ groups:
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -230,7 +230,7 @@ groups:
scored: true scored: true
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -244,7 +244,7 @@ groups:
scored: true scored: true
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -258,7 +258,7 @@ groups:
scored: true scored: true
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -272,7 +272,7 @@ groups:
scored: true scored: true
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -286,7 +286,7 @@ groups:
scored: true scored: true
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -298,7 +298,7 @@ groups:
scored: true scored: true
- id: 1.1.22 - id: 1.1.22
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -311,7 +311,7 @@ groups:
scored: true scored: true
- id: 1.1.23 - id: 1.1.23
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -327,7 +327,7 @@ groups:
scored: true scored: true
- id: 1.1.24 - id: 1.1.24
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -341,7 +341,7 @@ groups:
scored: true scored: true
- id: 1.1.25 - id: 1.1.25
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -356,7 +356,7 @@ groups:
scored: true scored: true
- id: 1.1.26 - id: 1.1.26
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -367,7 +367,7 @@ groups:
scored: true scored: true
- id: 1.1.27 - id: 1.1.27
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -383,7 +383,7 @@ groups:
scored: true scored: true
- id: 1.1.28 - id: 1.1.28
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -398,7 +398,7 @@ groups:
scored: true scored: true
- id: 1.1.29 - id: 1.1.29
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
@ -414,7 +414,7 @@ groups:
scored: true scored: true
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -426,7 +426,7 @@ groups:
scored: true scored: true
- id: 1.1.31 - id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -438,7 +438,7 @@ groups:
scored: true scored: true
- id: 1.1.32 - id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)" description: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -454,7 +454,7 @@ groups:
scored: true scored: true
- id: 1.1.33 - id: 1.1.33
text: "Ensure that the admission control policy is set to NodeRestriction (Scored)" description: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -469,7 +469,7 @@ groups:
scored: true scored: true
- id: 1.1.34 - id: 1.1.34
text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" description: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -481,7 +481,7 @@ groups:
scored: true scored: true
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)" description: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
@ -489,10 +489,10 @@ groups:
scored: true scored: true
- id: 1.2 - id: 1.2
text: "Scheduler" description: "Scheduler"
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -506,10 +506,10 @@ groups:
scored: true scored: true
- id: 1.3 - id: 1.3
text: "Controller Manager" description: "Controller Manager"
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -520,7 +520,7 @@ groups:
scored: true scored: true
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -534,7 +534,7 @@ groups:
scored: true scored: true
- id: 1.3.3 - id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set" description: "Ensure that the --use-service-account-credentials argument is set"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -548,7 +548,7 @@ groups:
scored: true scored: true
- id: 1.3.4 - id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -559,7 +559,7 @@ groups:
scored: true scored: true
- id: 1.3.5 - id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -570,7 +570,7 @@ groups:
scored: true scored: true
- id: 1.3.6 - id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" description: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
@ -578,7 +578,7 @@ groups:
scored: false scored: false
- id: 1.3.7 - id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -593,10 +593,10 @@ groups:
scored: true scored: true
- id: 1.4 - id: 1.4
text: "Configure Files" description: "Configure Files"
checks: checks:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
@ -622,7 +622,7 @@ groups:
scored: true scored: true
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the apiserver file ownership is set to root:root (Scored)" description: "Ensure that the apiserver file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests: tests:
test_items: test_items:
@ -636,7 +636,7 @@ groups:
scored: true scored: true
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -661,7 +661,7 @@ groups:
scored: true scored: true
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the config file ownership is set to root:root (Scored)" description: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
tests: tests:
test_items: test_items:
@ -675,7 +675,7 @@ groups:
scored: true scored: true
- id: 1.4.5 - id: 1.4.5
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -700,7 +700,7 @@ groups:
scored: true scored: true
- id: 1.4.6 - id: 1.4.6
text: "Ensure that the scheduler file ownership is set to root:root (Scored)" description: "Ensure that the scheduler file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests: tests:
test_items: test_items:
@ -714,7 +714,7 @@ groups:
scored: true scored: true
- id: 1.4.7 - id: 1.4.7
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -739,7 +739,7 @@ groups:
scored: true scored: true
- id: 1.4.8 - id: 1.4.8
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
tests: tests:
test_items: test_items:
@ -753,7 +753,7 @@ groups:
scored: true scored: true
- id: 1.4.9 - id: 1.4.9
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -778,7 +778,7 @@ groups:
scored: true scored: true
- id: 1.4.10 - id: 1.4.10
text: "Ensure that the flanneld file ownership is set to root:root (Scored)" description: "Ensure that the flanneld file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
tests: tests:
test_items: test_items:
@ -792,7 +792,7 @@ groups:
scored: true scored: true
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
@ -809,7 +809,7 @@ groups:
scored: true scored: true
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
@ -823,10 +823,10 @@ groups:
scored: true scored: true
- id: 1.5 - id: 1.5
text: "etcd" description: "etcd"
checks: checks:
- id: 1.5.1 - id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -838,7 +838,7 @@ groups:
scored: true scored: true
- id: 1.5.2 - id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -854,7 +854,7 @@ groups:
scored: true scored: true
- id: 1.5.3 - id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" description: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -872,7 +872,7 @@ groups:
scored: true scored: true
- id: 1.5.4 - id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -887,7 +887,7 @@ groups:
scored: true scored: true
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -905,7 +905,7 @@ groups:
scored: true scored: true
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -926,7 +926,7 @@ groups:
scored: true scored: true
- id: 1.5.7 - id: 1.5.7
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -939,7 +939,7 @@ groups:
scored: true scored: true
- id: 1.5.8 - id: 1.5.8
text: "Ensure that the --max-wals argument is set to 0 (Scored)" description: "Ensure that the --max-wals argument is set to 0 (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -955,7 +955,7 @@ groups:
scored: true scored: true
- id: 1.5.9 - id: 1.5.9
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -966,16 +966,16 @@ groups:
scored: false scored: false
- id: 1.6 - id: 1.6
text: "General Security Primitives" description: "General Security Primitives"
checks: checks:
- id: 1.6.1 - id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false scored: false
- id: 1.6.2 - id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)" description: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
@ -983,20 +983,20 @@ groups:
scored: false scored: false
- id: 1.6.3 - id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)" description: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them." need them."
scored: false scored: false
- id: 1.6.4 - id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)" description: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them." remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false scored: false
- id: 1.6.5 - id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature- would need to enable alpha features in the apiserver by passing \"--feature-
@ -1007,7 +1007,7 @@ groups:
scored: false scored: false
- id: 1.6.6 - id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" description: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
@ -1015,13 +1015,13 @@ groups:
scored: false scored: false
- id: 1.6.7 - id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance." remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false scored: false
- id: 1.6.8 - id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)" description: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
scored: false scored: false

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.7 version: 1.7
id: 2 id: 2
text: "Worker Node Security Configuration" description: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: 2.1
text: "Kubelet" description: "Kubelet"
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" description: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -23,7 +23,7 @@ groups:
scored: true scored: true
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -37,7 +37,7 @@ groups:
scored: true scored: true
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -51,7 +51,7 @@ groups:
scored: true scored: true
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -63,7 +63,7 @@ groups:
scored: true scored: true
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -77,7 +77,7 @@ groups:
scored: true scored: true
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -92,7 +92,7 @@ groups:
scored: true scored: true
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -106,7 +106,7 @@ groups:
scored: true scored: true
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -123,7 +123,7 @@ groups:
scored: true scored: true
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -137,7 +137,7 @@ groups:
scored: true scored: true
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)" description: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -148,7 +148,7 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" description: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -162,7 +162,7 @@ groups:
scored: true scored: true
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -177,7 +177,7 @@ groups:
scored: true scored: true
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -191,7 +191,7 @@ groups:
scored: true scored: true
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is set to true" description: "Ensure that the RotateKubeletClientCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -205,7 +205,7 @@ groups:
scored: true scored: true
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true" description: "Ensure that the RotateKubeletServerCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -219,10 +219,10 @@ groups:
scored: true scored: true
- id: 2.2 - id: 2.2
text: "Configuration Files" description: "Configuration Files"
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -247,7 +247,7 @@ groups:
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the config file ownership is set to root:root (Scored)" description: "Ensure that the config file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
tests: tests:
test_items: test_items:
@ -261,7 +261,7 @@ groups:
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -286,7 +286,7 @@ groups:
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "Ensure that the kubelet file ownership is set to root:root (Scored)" description: "Ensure that the kubelet file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
@ -297,7 +297,7 @@ groups:
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests: tests:
bin_op: or bin_op: or
@ -322,7 +322,7 @@ groups:
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy file ownership is set to root:root (Scored)" description: "Ensure that the proxy file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
tests: tests:
test_items: test_items:
@ -333,7 +333,7 @@ groups:
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to description: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
tests: tests:
@ -359,7 +359,7 @@ groups:
scored: true scored: true
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root" description: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
tests: tests:
test_items: test_items:

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.8 version: 1.8
id: 3 id: 3
text: "Federated Deployments" description: "Federated Deployments"
type: "federated" type: "federated"
groups: groups:
- id: 3.1 - id: 3.1
text: "Federation API Server" description: "Federation API Server"
checks: checks:
- id: 3.1.1 - id: 3.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -24,7 +24,7 @@ groups:
scored: true scored: true
- id: 3.1.2 - id: 3.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -37,7 +37,7 @@ groups:
scored: true scored: true
- id: 3.1.3 - id: 3.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -49,7 +49,7 @@ groups:
scored: true scored: true
- id: 3.1.4 - id: 3.1.4
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -61,7 +61,7 @@ groups:
scored: true scored: true
- id: 3.1.5 - id: 3.1.5
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -76,7 +76,7 @@ groups:
scored: true scored: true
- id: 3.1.6 - id: 3.1.6
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -94,7 +94,7 @@ groups:
scored: true scored: true
- id: 3.1.7 - id: 3.1.7
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -109,7 +109,7 @@ groups:
score: true score: true
- id: 3.1.8 - id: 3.1.8
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -125,7 +125,7 @@ groups:
scored: true scored: true
- id: 3.1.9 - id: 3.1.9
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -141,7 +141,7 @@ groups:
scored: true scored: true
- id: 3.1.10 - id: 3.1.10
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -152,7 +152,7 @@ groups:
scored: true scored: true
- id: 3.1.11 - id: 3.1.11
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -167,7 +167,7 @@ groups:
scored: true scored: true
- id: 3.1.12 - id: 3.1.12
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -182,7 +182,7 @@ groups:
scored: true scored: true
- id: 3.1.13 - id: 3.1.13
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -197,7 +197,7 @@ groups:
scored: true scored: true
- id: 3.1.14 - id: 3.1.14
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -213,7 +213,7 @@ groups:
scored: true scored: true
- id: 3.1.15 - id: 3.1.15
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -226,7 +226,7 @@ groups:
scored: true scored: true
- id: 3.1.16 - id: 3.1.16
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -241,7 +241,7 @@ groups:
scored: true scored: true
- id: 3.1.17 - id: 3.1.17
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -253,7 +253,7 @@ groups:
scored: true scored: true
- id: 3.1.18 - id: 3.1.18
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)" appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
@ -272,7 +272,7 @@ groups:
scored: true scored: true
- id: 3.1.19 - id: 3.1.19
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as
appropriate (Scored)" appropriate (Scored)"
audit: "ps -ef | grep $fedapiserverbin | grep -v grep" audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
tests: tests:
@ -291,10 +291,10 @@ groups:
scored: true scored: true
- id: 3.2 - id: 3.2
text: "Federation Controller Manager" description: "Federation Controller Manager"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.8 version: 1.8
id: 1 id: 1
text: "Master Node Security Configuration" description: "Master Node Security Configuration"
type: "master" type: "master"
groups: groups:
- id: 1.1 - id: 1.1
text: "API Server" description: "API Server"
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -26,7 +26,7 @@ groups:
scored: true scored: true
- id: 1.1.2 - id: 1.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" description: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -40,7 +40,7 @@ groups:
scored: true scored: true
- id: 1.1.3 - id: 1.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -53,7 +53,7 @@ groups:
scored: true scored: true
- id: 1.1.4 - id: 1.1.4
text: "Ensure that the --kubelet-https argument is set to true (Scored)" description: "Ensure that the --kubelet-https argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -71,7 +71,7 @@ groups:
scored: true scored: true
- id: 1.1.5 - id: 1.1.5
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -84,7 +84,7 @@ groups:
scored: true scored: true
- id: 1.1.6 - id: 1.1.6
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -100,7 +100,7 @@ groups:
scored: true scored: true
- id: 1.1.7 - id: 1.1.7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -119,7 +119,7 @@ groups:
scored: true scored: true
- id: 1.1.8 - id: 1.1.8
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -135,7 +135,7 @@ groups:
scored: true scored: true
- id: 1.1.9 - id: 1.1.9
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -151,7 +151,7 @@ groups:
scored: true scored: true
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -167,7 +167,7 @@ groups:
scored: true scored: true
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -184,7 +184,7 @@ groups:
scored: true scored: true
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -201,7 +201,7 @@ groups:
scored: true scored: true
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -218,7 +218,7 @@ groups:
scored: true scored: true
- id: 1.1.14 - id: 1.1.14
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -235,7 +235,7 @@ groups:
scored: true scored: true
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -249,7 +249,7 @@ groups:
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -266,7 +266,7 @@ groups:
scored: true scored: true
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -283,7 +283,7 @@ groups:
scored: true scored: true
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -300,7 +300,7 @@ groups:
scored: true scored: true
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -317,7 +317,7 @@ groups:
scored: true scored: true
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the --token-auth-file parameter is not set (Scored)" description: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -331,7 +331,7 @@ groups:
scored: true scored: true
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -347,7 +347,7 @@ groups:
scored: true scored: true
- id: 1.1.22 - id: 1.1.22
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
@ -367,7 +367,7 @@ groups:
scored: true scored: true
- id: 1.1.23 - id: 1.1.23
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -383,7 +383,7 @@ groups:
scored: true scored: true
- id: 1.1.24 - id: 1.1.24
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -403,7 +403,7 @@ groups:
scored: true scored: true
- id: 1.1.25 - id: 1.1.25
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -417,7 +417,7 @@ groups:
scored: true scored: true
- id: 1.1.26 - id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)" appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
@ -437,7 +437,7 @@ groups:
scored: true scored: true
- id: 1.1.27 - id: 1.1.27
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -455,7 +455,7 @@ groups:
scored: true scored: true
- id: 1.1.28 - id: 1.1.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate (Scored)" as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
@ -475,7 +475,7 @@ groups:
scored: true scored: true
- id: 1.1.29 - id: 1.1.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -489,7 +489,7 @@ groups:
scored: true scored: true
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -504,7 +504,7 @@ groups:
scored: true scored: true
- id: 1.1.31 - id: 1.1.31
text: "Ensure that the --authorization-mode argument is set to Node (Scored)" description: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -521,7 +521,7 @@ groups:
scored: true scored: true
- id: 1.1.32 - id: 1.1.32
text: "Ensure that the admission control policy is set to NodeRestriction (Scored)" description: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -539,7 +539,7 @@ groups:
scored: true scored: true
- id: 1.1.33 - id: 1.1.33
text: "Ensure that the --experimental-encryption-provider-config argument is description: "Ensure that the --experimental-encryption-provider-config argument is
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
@ -555,7 +555,7 @@ groups:
scored: true scored: true
- id: 1.1.34 - id: 1.1.34
text: "Ensure that the encryption provider is set to aescbc (Scored)" description: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
@ -575,7 +575,7 @@ groups:
scored: true scored: true
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the admission control policy is set to EventRateLimit (Scored)" description: "Ensure that the admission control policy is set to EventRateLimit (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -593,7 +593,7 @@ groups:
scored: true scored: true
- id: 1.1.36 - id: 1.1.36
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" description: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
@ -604,7 +604,7 @@ groups:
scored: true scored: true
- id: 1.1.37 - id: 1.1.37
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" description: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
@ -614,10 +614,10 @@ groups:
scored: true scored: true
- id: 1.2 - id: 1.2
text: "Scheduler" description: "Scheduler"
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -634,10 +634,10 @@ groups:
scored: true scored: true
- id: 1.3 - id: 1.3
text: "Controller Manager" description: "Controller Manager"
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -650,7 +650,7 @@ groups:
scored: true scored: true
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" description: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -666,7 +666,7 @@ groups:
scored: true scored: true
- id: 1.3.3 - id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set (Scored)" description: "Ensure that the --use-service-account-credentials argument is set (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -682,7 +682,7 @@ groups:
scored: true scored: true
- id: 1.3.4 - id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -696,7 +696,7 @@ groups:
scored: true scored: true
- id: 1.3.5 - id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -710,7 +710,7 @@ groups:
scored: true scored: true
- id: 1.3.6 - id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" description: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
@ -719,7 +719,7 @@ groups:
scored: false scored: false
- id: 1.3.7 - id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -736,10 +736,10 @@ groups:
scored: true scored: true
- id: 1.4 - id: 1.4
text: "Configuration Files" description: "Configuration Files"
checks: checks:
- id: 1.4.1 - id: 1.4.1
text: "Ensure that the API server pod specification file permissions are description: "Ensure that the API server pod specification file permissions are
set to 644 or more restrictive (Scored)" set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
@ -767,7 +767,7 @@ groups:
scored: true scored: true
- id: 1.4.2 - id: 1.4.2
text: "Ensure that the API server pod specification file ownership is set to description: "Ensure that the API server pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests: tests:
@ -784,7 +784,7 @@ groups:
scored: true scored: true
- id: 1.4.3 - id: 1.4.3
text: "Ensure that the controller manager pod specification file description: "Ensure that the controller manager pod specification file
permissions are set to 644 or more restrictive (Scored)" permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests: tests:
@ -812,7 +812,7 @@ groups:
scored: true scored: true
- id: 1.4.4 - id: 1.4.4
text: "Ensure that the controller manager pod specification file description: "Ensure that the controller manager pod specification file
ownership is set to root:root (Scored)" ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests: tests:
@ -829,7 +829,7 @@ groups:
scored: true scored: true
- id: 1.4.5 - id: 1.4.5
text: "Ensure that the scheduler pod specification file permissions are set description: "Ensure that the scheduler pod specification file permissions are set
to 644 or more restrictive (Scored)" to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
@ -857,7 +857,7 @@ groups:
scored: true scored: true
- id: 1.4.6 - id: 1.4.6
text: "Ensure that the scheduler pod specification file ownership is set to description: "Ensure that the scheduler pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests: tests:
@ -874,7 +874,7 @@ groups:
scored: true scored: true
- id: 1.4.7 - id: 1.4.7
text: "Ensure that the etcd pod specification file permissions are set to description: "Ensure that the etcd pod specification file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
@ -902,7 +902,7 @@ groups:
scored: true scored: true
- id: 1.4.8 - id: 1.4.8
text: "Ensure that the etcd pod specification file ownership is set to description: "Ensure that the etcd pod specification file ownership is set to
root:root (Scored)" root:root (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
tests: tests:
@ -919,7 +919,7 @@ groups:
scored: true scored: true
- id: 1.4.9 - id: 1.4.9
text: "Ensure that the Container Network Interface file permissions are description: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)" set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>" audit: "stat -c %a <path/to/cni/files>"
type: manual type: manual
@ -930,7 +930,7 @@ groups:
scored: true scored: true
- id: 1.4.10 - id: 1.4.10
text: "Ensure that the Container Network Interface file ownership is set description: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)" to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>" audit: "stat -c %U:%G <path/to/cni/files>"
type: manual type: manual
@ -941,7 +941,7 @@ groups:
scored: true scored: true
- id: 1.4.11 - id: 1.4.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
tests: tests:
test_items: test_items:
@ -959,7 +959,7 @@ groups:
scored: true scored: true
- id: 1.4.12 - id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests: tests:
test_items: test_items:
@ -974,7 +974,7 @@ groups:
scored: true scored: true
- id: 1.4.13 - id: 1.4.13
text: "Ensure that the admin.conf file permissions are set to 644 or description: "Ensure that the admin.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
tests: tests:
@ -1002,7 +1002,7 @@ groups:
scored: true scored: true
- id: 1.4.14 - id: 1.4.14
text: "Ensure that the admin.conf file ownership is set to root:root (Scored)" description: "Ensure that the admin.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'" audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
tests: tests:
test_items: test_items:
@ -1018,7 +1018,7 @@ groups:
scored: true scored: true
- id: 1.4.15 - id: 1.4.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or description: "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
@ -1046,7 +1046,7 @@ groups:
scored: true scored: true
- id: 1.4.16 - id: 1.4.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" description: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests: tests:
test_items: test_items:
@ -1062,7 +1062,7 @@ groups:
scored: true scored: true
- id: 1.4.17 - id: 1.4.17
text: "Ensure that the controller-manager.conf file permissions are set description: "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)" to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests: tests:
@ -1090,7 +1090,7 @@ groups:
scored: true scored: true
- id: 1.4.18 - id: 1.4.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" description: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests: tests:
test_items: test_items:
@ -1106,10 +1106,10 @@ groups:
scored: true scored: true
- id: 1.5 - id: 1.5
text: "etcd" description: "etcd"
checks: checks:
- id: 1.5.1 - id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1126,7 +1126,7 @@ groups:
scored: true scored: true
- id: 1.5.2 - id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1142,7 +1142,7 @@ groups:
scored: true scored: true
- id: 1.5.3 - id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" description: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -1160,7 +1160,7 @@ groups:
scored: true scored: true
- id: 1.5.4 - id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set
as appropriate (Scored)" as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
@ -1178,7 +1178,7 @@ groups:
scored: true scored: true
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1194,7 +1194,7 @@ groups:
scored: true scored: true
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -1213,7 +1213,7 @@ groups:
scored: true scored: true
- id: 1.5.7 - id: 1.5.7
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1226,7 +1226,7 @@ groups:
scored: true scored: true
- id: 1.5.8 - id: 1.5.8
text: "Ensure that the --max-wals argument is set to 0 (Scored)" description: "Ensure that the --max-wals argument is set to 0 (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1242,7 +1242,7 @@ groups:
scored: true scored: true
- id: 1.5.9 - id: 1.5.9
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -1257,10 +1257,10 @@ groups:
scored: false scored: false
- id: 1.6 - id: 1.6
text: "General Security Primitives" description: "General Security Primitives"
checks: checks:
- id: 1.6.1 - id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Remove any unneeded clusterrolebindings : Remove any unneeded clusterrolebindings :
@ -1268,7 +1268,7 @@ groups:
scored: false scored: false
- id: 1.6.2 - id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)" description: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create and enforce Pod Security Policies for your cluster. Follow the documentation and create and enforce Pod Security Policies for your cluster.
@ -1277,7 +1277,7 @@ groups:
scored: false scored: false
- id: 1.6.3 - id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)" description: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create namespaces for objects in your deployment as you Follow the documentation and create namespaces for objects in your deployment as you
@ -1285,14 +1285,14 @@ groups:
scored: false scored: false
- id: 1.6.4 - id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)" description: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
- id: 1.6.5 - id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod description: "Ensure that the seccomp profile is set to docker/default in your pod
definitions (Not Scored)" definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
@ -1319,7 +1319,7 @@ groups:
scored: false scored: false
- id: 1.6.6 - id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" description: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
@ -1328,14 +1328,14 @@ groups:
scored: false scored: false
- id: 1.6.7 - id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
- id: 1.6.8 - id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)" description: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and setup network policies as appropriate. Follow the Kubernetes documentation and setup network policies as appropriate.
@ -1350,7 +1350,7 @@ groups:
scored: false scored: false
- id: 1.6.9 - id: 1.6.9
text: "Place compensating controls in the form of PSP and RBAC for description: "Place compensating controls in the form of PSP and RBAC for
privileged containers usage (Not Scored)" privileged containers usage (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |

View File

@ -2,14 +2,14 @@
controls: controls:
version: 1.8 version: 1.8
id: 2 id: 2
text: "Worker Node Security Configuration" description: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: 2.1
text: "Kubelet" description: "Kubelet"
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" description: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -28,7 +28,7 @@ groups:
scored: true scored: true
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -47,7 +47,7 @@ groups:
scored: true scored: true
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -66,7 +66,7 @@ groups:
scored: true scored: true
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -82,7 +82,7 @@ groups:
scored: true scored: true
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -101,7 +101,7 @@ groups:
scored: true scored: true
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -120,7 +120,7 @@ groups:
scored: true scored: true
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -139,7 +139,7 @@ groups:
scored: true scored: true
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
@ -159,7 +159,7 @@ groups:
scored: true scored: true
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -178,7 +178,7 @@ groups:
scored: true scored: true
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)" description: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -194,7 +194,7 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" description: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -213,7 +213,7 @@ groups:
scored: true scored: true
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -235,7 +235,7 @@ groups:
scored: true scored: true
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -254,7 +254,7 @@ groups:
scored: true scored: true
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is set to true" description: "Ensure that the RotateKubeletClientCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -274,7 +274,7 @@ groups:
scored: true scored: true
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true" description: "Ensure that the RotateKubeletServerCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -293,10 +293,10 @@ groups:
scored: true scored: true
- id: 2.2 - id: 2.2
text: "Configuration Files" description: "Configuration Files"
checks: checks:
- id: 2.2.1 - id: 2.2.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or description: "Ensure that the kubelet.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
@ -324,7 +324,7 @@ groups:
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" description: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
@ -340,7 +340,7 @@ groups:
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
text: "Ensure that the kubelet service file permissions are set to 644 or description: "Ensure that the kubelet service file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
@ -368,7 +368,7 @@ groups:
scored: true scored: true
- id: 2.2.4 - id: 2.2.4
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)" description: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
tests: tests:
test_items: test_items:
@ -381,7 +381,7 @@ groups:
scored: true scored: true
- id: 2.2.5 - id: 2.2.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more description: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
restrictive (Scored)" restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests: tests:
@ -409,7 +409,7 @@ groups:
scored: true scored: true
- id: 2.2.6 - id: 2.2.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" description: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
tests: tests:
test_items: test_items:
@ -422,7 +422,7 @@ groups:
scored: true scored: true
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to description: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: manual
remediation: | remediation: |
@ -431,7 +431,7 @@ groups:
scored: true scored: true
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root" description: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
type: manual type: manual
remediation: | remediation: |