diff --git a/cfg/config.yaml b/cfg/config.yaml index dcce7ba..c8c89c9 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -7,11 +7,106 @@ # nodeControls: ./cfg/node.yaml # federatedControls: ./cfg/federated.yaml -## Configuration Directories. -# Specifies the directories to look for configuration files -# for the kubernetes components. -# -## Uncomment to use different paths. -# kubeConfDir: /etc/kubernetes -# etcdConfDir: /etc/etcd -# flanneldConfDir: /etc/sysconfig +## Support components +etcd: + bin: etcd + conf: /etc/etcd/etcd.conf + +flanneld: + bin: flanneld + conf: /etc/sysconfig/flanneld + +# Installation +# Configure kubernetes component binaries and paths to their configuration files. +installation: + default: + config: /etc/kubernetes/config + master: + bin: + apiserver: apiserver + scheduler: scheduler + controller-manager: controller-manager + conf: + apiserver: /etc/kubernetes/apiserver + scheduler: /etc/kubernetes/scheduler + controller-manager: /etc/kubernetes/apiserver + node: + bin: + kubelet: kubelet + proxy: proxy + conf: + kubelet: /etc/kubernetes/kubelet + proxy: /etc/kubernetes/proxy + federated: + bin: + apiserver: federation-apiserver + controller-manager: federation-controller-manager + + kops: + config: /etc/kubernetes/config + master: + bin: + apiserver: apiserver + scheduler: scheduler + controller-manager: controller-manager + conf: + apiserver: /etc/kubernetes/apiserver + scheduler: /etc/kubernetes/scheduler + controller-manager: /etc/kubernetes/apiserver + node: + bin: + kubelet: kubelet + proxy: proxy + conf: + kubelet: /etc/kubernetes/kubelet + proxy: /etc/kubernetes/proxy + federated: + bin: + apiserver: federation-apiserver + controller-manager: federation-controller-manager + + hyperkube: + config: /etc/kubernetes/config + master: + bin: + apiserver: hyperkube apiserver + scheduler: hyperkube scheduler + controller-manager: hyperkube controller-manager + conf: + apiserver: /etc/kubernetes/apiserver + scheduler: /etc/kubernetes/scheduler + controller-manager: /etc/kubernetes/apiserver + node: + bin: + kubelet: hyperkube kubelet + proxy: hyperkube proxy + conf: + kubelet: /etc/kubernetes/kubelet + proxy: /etc/kubernetes/proxy + federated: + bin: + apiserver: hyperkube federation-apiserver + controller-manager: hyperkube federation-controller-manager + + kubeadm: + config: /etc/kubernetes/config + master: + bin: + apiserver: kube-apiserver + scheduler: kube-scheduler + controller-manager: kube-controller-manager + conf: + apiserver: /etc/kubernetes/admin.conf + scheduler: /etc/kubernetes/scheduler.conf + controller-manager: /etc/kubernetes/controller-manager.conf + node: + bin: + kubelet: kubelet + proxy: kube-proxy + conf: + kubelet: /etc/kubernetes/kubelet.conf + proxy: /etc/kubernetes/proxy.conf + federated: + bin: + apiserver: kube-federation-apiserver + controller-manager: kube-federation-controller-manager diff --git a/cfg/federated.yaml b/cfg/federated.yaml index 87e8054..fbff661 100644 --- a/cfg/federated.yaml +++ b/cfg/federated.yaml @@ -9,7 +9,7 @@ groups: checks: - id: 3.1.1 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" @@ -23,7 +23,7 @@ groups: - id: 3.1.2 text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--basic-auth-file" @@ -35,7 +35,7 @@ groups: - id: 3.1.3 text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-allow-any-token" @@ -46,7 +46,7 @@ groups: - id: 3.1.4 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-bind-address" @@ -57,7 +57,7 @@ groups: - id: 3.1.5 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-port" @@ -71,7 +71,7 @@ groups: - id: 3.1.6 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -88,7 +88,7 @@ groups: - id: 3.1.7 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -102,7 +102,7 @@ groups: - id: 3.1.8 text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -117,7 +117,7 @@ groups: - id: 3.1.9 text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "admission-control" @@ -131,7 +131,7 @@ groups: - id: 3.1.10 text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-path" @@ -142,7 +142,7 @@ groups: - id: 3.1.11 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" @@ -156,7 +156,7 @@ groups: - id: 3.1.12 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxbackup" @@ -170,7 +170,7 @@ groups: - id: 3.1.13 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxsize" @@ -184,7 +184,7 @@ groups: - id: 3.1.14 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -198,7 +198,7 @@ groups: - id: 3.1.15 text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--token-auth-file" @@ -210,7 +210,7 @@ groups: - id: 3.1.16 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-lookup" @@ -224,7 +224,7 @@ groups: - id: 3.1.17 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-key-file" @@ -235,7 +235,7 @@ groups: - id: 3.1.18 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -252,7 +252,7 @@ groups: - id: 3.1.19 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $federationApiserver | grep -v grep" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -271,7 +271,7 @@ groups: checks: - id: 3.2.1 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $federationControllerManager | grep -v grep" + audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" tests: test_items: - flag: "--profiling" diff --git a/cfg/master.yaml b/cfg/master.yaml index f24b342..50b77a9 100644 --- a/cfg/master.yaml +++ b/cfg/master.yaml @@ -9,7 +9,7 @@ groups: checks: - id: 1.1.1 text: "Ensure that the --allow-privileged argument is set to false (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "allow-privileged" @@ -17,13 +17,13 @@ groups: op: eq value: false set: true - remediation: "Edit the $apiserverConf file on the master node and set + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\"" scored: true - id: 1.1.2 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" @@ -31,37 +31,37 @@ groups: op: eq value: false set: true - remediation: "Edit the $apiserverConf file on the master node and set + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--anonymous-auth=false\"" scored: true - id: 1.1.3 text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--basic-auth-file" set: false remediation: "Follow the documentation and configure alternate mechanisms for - authentication. Then, edit the $apiserverConf file on the master + authentication. Then, edit the $apiserverconf file on the master node and remove the \"--basic-auth-file=\" argument from the KUBE_API_ARGS parameter." scored: true - id: 1.1.4 text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-allow-any-token" set: false - remediation: "Edit the $apiserverConf file on the master node and remove + remediation: "Edit the $apiserverconf file on the master node and remove the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter." scored: true - id: 1.1.5 text: "Ensure that the --kubelet-https argument is set to true (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -72,24 +72,24 @@ groups: set: true - flag: "--kubelet-https" set: false - remediation: "Edit the $apiserverConf file on the master node and remove + remediation: "Edit the $apiserverconf file on the master node and remove the --kubelet-https argument from the KUBE_API_ARGS parameter." scored: true - id: 1.1.6 text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-bind-address" set: false - remediation: "Edit the $apiserverConf file on the master node and remove + remediation: "Edit the $apiserverconf file on the master node and remove the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter." scored: true - id: 1.1.7 text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--insecure-port" @@ -97,13 +97,13 @@ groups: op: eq value: 0 set: true - remediation: "Edit the $apiserverConf file on the master node and set + remediation: "Edit the $apiserverconf file on the master node and set --insecure-port=0 in the KUBE_API_PORT parameter." scored: true - id: 1.1.8 text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: or test_items: @@ -114,14 +114,14 @@ groups: set: true - flag: "--secure-port" set: false - remediation: "Edit the $apiserverConf file on the master node and either + remediation: "Edit the $apiserverconf file on the master node and either remove the --secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port." scored: true - id: 1.1.9 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -129,13 +129,13 @@ groups: op: eq value: false set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--profiling=false\"" scored: true - id: 1.1.10 text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--repair-malformed-updates" @@ -143,13 +143,13 @@ groups: op: eq value: false set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\"" scored: true - id: 1.1.11 text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -157,13 +157,13 @@ groups: op: nothave value: AlwaysAdmit set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit" scored: true - id: 1.1.12 text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -171,13 +171,13 @@ groups: op: has value: "AlwaysPullImages" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\"" scored: true - id: 1.1.13 text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -185,13 +185,13 @@ groups: op: has value: "DenyEscalatingExec" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\"" scored: true - id: 1.1.14 text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -199,13 +199,13 @@ groups: op: has value: "SecurityContextDeny" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\"" scored: true - id: 1.1.15 text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "admission-control" @@ -213,24 +213,24 @@ groups: op: has value: "NamespaceLifecycle" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\"" scored: true - id: 1.1.16 text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-path" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--audit-log-path=\"" scored: true - id: 1.1.17 text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxage" @@ -238,13 +238,13 @@ groups: op: gte value: 30 set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--audit-log-maxage=30\"" scored: true - id: 1.1.18 text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxbackup" @@ -252,13 +252,13 @@ groups: op: gte value: 10 set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\"" scored: true - id: 1.1.19 text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--audit-log-maxsize" @@ -266,13 +266,13 @@ groups: op: gte value: 100 set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\"" scored: true - id: 1.1.20 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -280,38 +280,38 @@ groups: op: nothave value: "AlwaysAllow" set: true - remediation: "Edit the $apiserverConf file on the master node and set the + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\"" scored: true - id: 1.1.21 text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--token-auth-file" set: false remediation: "Follow the documentation and configure alternate mechanisms for authentication. - Then, edit the $apiserverConf file on the master node and remove the + Then, edit the $apiserverconf file on the master node and remove the \"--tokenauth-file=\" argument from the KUBE_API_ARGS parameter." scored: true - id: 1.1.22 text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--kubelet-certificate-authority" set: true remediation: "Follow the Kubernetes documentation and setup the TLS connection between - the apiserver and kubelets. Then, edit the $apiserverConf file on the + the apiserver and kubelets. Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--kubelet-certificate-authority=\"" scored: true - id: 1.1.23 text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -320,14 +320,14 @@ groups: - flag: "--kubelet-client-key" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver - and kubelets. Then, edit the $apiserverConf file on the master node and set the + and kubelets. Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=\" and \"--kubelet-clientkey=\"" scored: true - id: 1.1.24 text: "Ensure that the --service-account-lookup argument is set to true (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-lookup" @@ -335,13 +335,13 @@ groups: op: eq value: true set: true - remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--service-account-lookup=true\"" scored: true - id: 1.1.25 text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -350,24 +350,24 @@ groups: value: "PodSecurityPolicy" set: true remediation: "Follow the documentation and create Pod Security Policy objects as per your environment. - Then, edit the $apiserverConf file on the master node and set the KUBE_ADMISSION_CONTROL + Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,PodSecurityPolicy,...\"" scored: true - id: 1.1.26 text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--service-account-key-file" set: true - remediation: "Edit the $apiserverConf file on the master node and set the KUBE_API_ARGS + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to \"--service-account-key-file=\"" scored: true - id: 1.1.27 text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -376,14 +376,14 @@ groups: - flag: "--etcd-keyfile" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver - and etcd. Then, edit the $apiserverConf file on the master node and set the + and etcd. Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to include \"--etcd-certfile=\" and \"--etcd-keyfile=\"" scored: true - id: 1.1.28 text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--admission-control" @@ -392,13 +392,13 @@ groups: value: "ServiceAccount" set: true remediation: "Follow the documentation and create ServiceAccount objects as per your environment. - Then, edit the $apiserverConf file on the master node and set the + Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\"" scored: true - id: 1.1.29 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and test_items: @@ -407,32 +407,32 @@ groups: - flag: "--tls-private-key-file" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the $apiserverConf file on the master node and set the KUBE_API_ARGS parameter to + Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to include \"--tls-cert-file=\" and \"--tls-private-key-file=\"" scored: true - id: 1.1.30 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--client-ca-file" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the $apiserverConf file on the master node and set the + Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to include \"--client-ca-file=\"" scored: true - id: 1.1.31 text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeApiserver | grep -v grep" + audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: test_items: - flag: "--etcd-cafile" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver - and etcd. Then, edit the $apiserverConf file on the master node and set the + and etcd. Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to include \"--etcd-cafile=\"" scored: true @@ -441,7 +441,7 @@ groups: checks: - id: 1.2.1 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $kubeScheduler | grep -v grep" + audit: "ps -ef | grep $schedulerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -449,7 +449,7 @@ groups: op: eq value: false set: true - remediation: "Edit the $schedulerConf file on the master node and set the KUBE_SCHEDULER_ARGS + remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS parameter to \"--profiling=false\"" scored: true @@ -458,18 +458,18 @@ groups: checks: - id: 1.3.1 text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--terminated-pod-gc-threshold" set: true - remediation: "Edit the $controllerManagerConf file on the master node and set the + remediation: "Edit the $controllermanagerconf file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=\"" scored: true - id: 1.3.2 text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--profiling" @@ -477,25 +477,25 @@ groups: op: eq value: false set: true - remediation: "Edit the $controllerManagerConf file on the master node and set the + remediation: "Edit the $controllermanagerconf file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\"" scored: true - id: 1.3.3 text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group" set: false - remediation: "Edit the $controllerManagerConf file on the master node and remove + remediation: "Edit the $controllermanagerconf file on the master node and remove the -insecure-experimental-approve-all-kubelet-csrs-for-group argument from the KUBE_CONTROLLER_MANAGER_ARGS parameter" scored: true - id: 1.3.4 text: "Ensure that the --use-service-account-credentials argument is set" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--use-service-account-credentials" @@ -503,29 +503,29 @@ groups: op: eq value: true set: true - remediation: "Edit the $controllerManagerConf file on the master node and set the + remediation: "Edit the $controllermanagerconf file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true" scored: true - id: 1.3.5 text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--service-account-private-key-file" set: true - remediation: "Edit the $controllerManagerConf file on the master node and set the + remediation: "Edit the $controllermanagerconf file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=" scored: true - id: 1.3.6 text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeControllerManager | grep -v grep" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" tests: test_items: - flag: "--root-ca-file" set: true - remediation: "Edit the $controllerManagerConf file on the master node and set the + remediation: "Edit the $controllermanagerconf file on the master node and set the KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=" scored: true @@ -534,124 +534,124 @@ groups: checks: - id: 1.4.1 text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $apiserverConf; then stat -c %a $apiserverConf; fi" + audit: "if test -e $apiserverconf; then stat -c %a $apiserverconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $apiserverConf" + \nFor example, chmod 644 $apiserverconf" scored: true - id: 1.4.2 text: "Ensure that the apiserver file ownership is set to root:root (Scored)" - audit: "if test -e $apiserverConf; then stat -c %U:%G $apiserverConf; fi" + audit: "if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $apiserverConf" + \nFor example, chown root:root $apiserverconf" scored: true - id: 1.4.3 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi" + audit: "if test -e $config; then stat -c %a $config; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $kubeConfig" + \nFor example, chmod 644 $config" scored: true - id: 1.4.4 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi" + audit: "if test -e $config; then stat -c %U:%G $config; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $kubeConfig" + \nFor example, chown root:root $config" scored: true - id: 1.4.5 text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $schedulerConf; then stat -c %a $schedulerConf; fi" + audit: "if test -e $schedulerconf; then stat -c %a $schedulerconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $schedulerConf" + \nFor example, chmod 644 $schedulerconf" scored: true - id: 1.4.6 text: "Ensure that the scheduler file ownership is set to root:root (Scored)" - audit: "if test -e $schedulerConf; then stat -c %U:%G $schedulerConf; fi" + audit: "if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $schedulerConf" + \nFor example, chown root:root $schedulerconf" scored: true - id: 1.4.7 text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $$etcdConf; then stat -c %a $$etcdConf; fi" + audit: "if test -e $etcdconf; then stat -c %a $etcdconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $$etcdConf" + \nFor example, chmod 644 $etcdconf" scored: true - id: 1.4.8 text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" - audit: "if test -e $$etcdConf; then stat -c %U:%G $$etcdConf; fi" + audit: "if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $$etcdConf" + \nFor example, chown root:root $etcdconf" scored: true - id: 1.4.9 text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $$flanneldConf; then stat -c %a $$flanneldConf; fi" + audit: "if test -e $flanneldconf; then stat -c %a $flanneldconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chmod 644 $$flanneldConf" + \nFor example, chmod 644 $flanneldconf" scored: true - id: 1.4.10 text: "Ensure that the flanneld file ownership is set to root:root (Scored)" - audit: "if test -e $$flanneldConf; then stat -c %U:%G $$flanneldConf; fi" + audit: "if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the master node. - \nFor example, chown root:root $$flanneldConf" + \nFor example, chown root:root $flanneldconf" scored: true - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" tests: test_items: - flag: "700" set: true remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , from the below command:\n - ps -ef | grep $etcd\n + ps -ef | grep $etcdbin\n Run the below command (based on the etcd data directory found above). For example,\n chmod 700 /var/lib/etcd/default.etcd" scored: true @@ -661,7 +661,7 @@ groups: checks: - id: 1.5.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--cert-file" @@ -673,7 +673,7 @@ groups: - id: 1.5.2 text: "Ensure that the --client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--client-cert-auth" @@ -681,7 +681,7 @@ groups: op: eq value: true set: true - remediation: "Edit the etcd envrironment file (for example, $$etcdConf) on the + remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\"" @@ -689,7 +689,7 @@ groups: - id: 1.5.3 text: "Ensure that the --auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -699,7 +699,7 @@ groups: compare: op: neq value: true - remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter for --auto-tls." @@ -707,7 +707,7 @@ groups: - id: 1.5.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--peer-cert-file" @@ -722,7 +722,7 @@ groups: - id: 1.5.5 text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--peer-client-cert-auth" @@ -732,7 +732,7 @@ groups: set: true remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. - Edit the etcd environment file (for example, $$etcdConf) on the etcd server node + Edit the etcd environment file (for example, $etcdconf) on the etcd server node and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\"" @@ -740,7 +740,7 @@ groups: - id: 1.5.6 text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: bin_op: or test_items: @@ -753,7 +753,7 @@ groups: set: true remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is - not applicable. Edit the etcd environment file (for example, $$etcdConf) + not applicable. Edit the etcd environment file (for example, $etcdconf) on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter for --peer-auto-tls." @@ -761,12 +761,12 @@ groups: - id: 1.5.7 text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--wal-dir" set: true - remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --wal-dir and set it to \"${ETCD_WAL_DIR}\"" @@ -774,7 +774,7 @@ groups: - id: 1.5.8 text: "Ensure that the --max-wals argument is set to 0 (Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--max-wals" @@ -782,7 +782,7 @@ groups: op: eq value: 0 set: true - remediation: "Edit the etcd environment file (for example, $$etcdConf) on the etcd server node + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for --max-wals and set it to \"${ETCD_MAX_WALS}\"." @@ -790,7 +790,7 @@ groups: - id: 1.5.9 text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" - audit: "ps -ef | grep $etcd | grep -v grep" + audit: "ps -ef | grep $etcdbin | grep -v grep" tests: test_items: - flag: "--trusted-ca-file" diff --git a/cfg/node.yaml b/cfg/node.yaml index 8a87fde..9ecb15b 100644 --- a/cfg/node.yaml +++ b/cfg/node.yaml @@ -9,7 +9,7 @@ groups: checks: - id: 2.1.1 text: "Ensure that the --allow-privileged argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--allow-privileged" @@ -17,13 +17,13 @@ groups: op: eq value: false set: true - remediation: "Edit the $kubeConfig file on each node and set the KUBE_ALLOW_PRIV + remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\"" scored: true - id: 2.1.2 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--anonymous-auth" @@ -31,13 +31,13 @@ groups: op: eq value: false set: true - remediation: "Edit the $kubeletConf file on the master node and set the + remediation: "Edit the $kubeletconf file on the master node and set the KUBELET_ARGS parameter to \"--anonymous-auth=false\"" scored: true - id: 2.1.3 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--authorization-mode" @@ -45,25 +45,25 @@ groups: op: nothave value: "AlwaysAllow" set: true - remediation: "Edit the $kubeletConf file on each node and set the + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--authorization-mode=Webhook\"" scored: true - id: 2.1.4 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--client-ca-file" set: true remediation: "Follow the Kubernetes documentation and setup the TLS connection between - the apiserver and kubelets. Then, edit the $kubeletConf file on each node + the apiserver and kubelets. Then, edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--client-ca-file=\"" scored: true - id: 2.1.5 text: "Ensure that the --read-only-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--read-only-port" @@ -71,13 +71,13 @@ groups: op: eq value: 0 set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--read-only-port=0\"" scored: true - id: 2.1.6 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--streaming-connection-idle-timeout" @@ -85,13 +85,13 @@ groups: op: gt value: 0 set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--streaming-connection-idle-timeout=\"" scored: true - id: 2.1.7 text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--protect-kernel-defaults" @@ -99,13 +99,13 @@ groups: op: eq value: true set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--protect-kernel-defaults=true\"" scored: true - id: 2.1.8 text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: bin_op: or test_items: @@ -116,13 +116,13 @@ groups: set: true - flag: "--make-iptables-util-chains" set: false - remediation: "Edit the $kubeletConf file on each node and remove the + remediation: "Edit the $kubeletconf file on each node and remove the --make-iptables-util-chains argument from the KUBELET_ARGS parameter." scored: true - id: 2.1.9 text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--keep-terminated-pod-volumes" @@ -130,24 +130,24 @@ groups: op: eq value: false set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--keep-terminated-pod-volumes=false\"" scored: true - id: 2.1.10 text: "Ensure that the --hostname-override argument is not set (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--hostname-override" set: false - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_HOSTNAME + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME parameter to \"\"" scored: true - id: 2.1.11 text: "Ensure that the --event-qps argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--event-qps" @@ -155,13 +155,13 @@ groups: op: eq value: 0 set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--event-qps=0\"" scored: true - id: 2.1.12 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--tls-cert-file" @@ -169,14 +169,14 @@ groups: - flag: "--tls-private-key-file" set: true remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. - Then, edit the $kubeletConf file on the master node and set the KUBELET_ARGS + Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS parameter to include \"--tls-cert-file=\" and \"--tls-private-key-file=\"" scored: true - id: 2.1.13 text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletBin | grep -v grep" + audit: "ps -ef | grep $kubeletbin | grep -v grep" tests: test_items: - flag: "--cadvisor-port" @@ -184,7 +184,7 @@ groups: op: eq value: 0 set: true - remediation: "Edit the $kubeletConf file on each node and set the KUBELET_ARGS parameter + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter to \"--cadvisor-port=0\"" scored: true @@ -193,66 +193,66 @@ groups: checks: - id: 2.2.1 text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $kubeConfig; then stat -c %a $kubeConfig; fi" + audit: "if test -e $config; then stat -c %a $config; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $kubeConfig" + \nFor example, chmod 644 $config" scored: true - id: 2.2.2 text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "if test -e $kubeConfig; then stat -c %U:%G $kubeConfig; fi" + audit: "if test -e $config; then stat -c %U:%G $config; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $kubeConfig" + \nFor example, chown root:root $config" scored: true - id: 2.2.3 text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $kubeletConf; then stat -c %a $kubeletConf; fi" + audit: "if test -e $kubeletconf; then stat -c %a $kubeletconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $kubeletConf" + \nFor example, chmod 644 $kubeletconf" scored: true - id: 2.2.4 text: "Ensure that the kubelet file ownership is set to root:root (Scored)" - audit: "if test -e $kubeletConf; then stat -c %U:%G $kubeletConf; fi" + audit: "if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $kubeletConf" + \nFor example, chown root:root $kubeletconf" scored: true - id: 2.2.5 text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" - audit: "if test -e $kubeProxyConf; then stat -c %a $kubeProxyConf; fi" + audit: "if test -e $proxyconf; then stat -c %a $proxyconf; fi" tests: test_items: - flag: "644" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $kubeProxyConf" + \nFor example, chmod 644 $proxyconf" scored: true - id: 2.2.6 text: "Ensure that the proxy file ownership is set to root:root (Scored)" - audit: "if test -e $kubeProxyConf; then stat -c %U:%G $kubeProxyConf; fi" + audit: "if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi" tests: test_items: - flag: "root:root" set: true remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $kubeProxyConf" + \nFor example, chown root:root $proxyconf" scored: true diff --git a/cmd/common.go b/cmd/common.go index 4fc9fc7..c002945 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -18,162 +18,64 @@ import ( "fmt" "io/ioutil" "os" - "os/exec" "strings" "github.com/aquasecurity/kube-bench/check" - "github.com/fatih/color" "github.com/spf13/viper" ) var ( - errmsgs string - kubeMasterBin map[string]string - kubeMasterConf map[string]string - - kubeNodeBin map[string]string - kubeNodeConf map[string]string - kubeFederatedBin map[string]string + apiserverBin string + apiserverConf string + schedulerBin string + schedulerConf string + controllerManagerBin string + controllerManagerConf string + config string + etcdBin string + etcdConf string + flanneldBin string + flanneldConf string + kubeletBin string + kubeletConf string + proxyBin string + proxyConf string + fedApiserverBin string + fedControllerManagerBin string + + errmsgs string // TODO: Consider specifying this in config file. kubeVersion = "1.6" - - // Used for variable substitution - symbols = map[string]string{} - - // Print colors - colors = map[check.State]*color.Color{ - check.PASS: color.New(color.FgGreen), - check.FAIL: color.New(color.FgRed), - check.WARN: color.New(color.FgYellow), - check.INFO: color.New(color.FgBlue), - } ) -func handleError(err error, context string) (errmsg string) { - if err != nil { - errmsg = fmt.Sprintf("%s, error: %s\n", context, err) - } - return -} - func runChecks(t check.NodeType) { var summary check.Summary var file string - // Set up binary and configuration. - switch installation { - default: - fallthrough - case "kops": - // Master - kubeMasterBin = map[string]string{ - "apiserver": "apiserver", - "scheduler": "scheduler", - "controller-manager": "controller-manager", - "etcd": "etcd", - "flanneld": "flanneld", - } - - kubeMasterConf = map[string]string{ - "apiserver": "/etc/kubernetes/apiserver", - "scheduler": "/etc/kubernetes/scheduler", - "controller-manager": "/etc/kubernetes/controller-manager", - "config": "/etc/kubernetes/config", - "etcd": "/etc/etcd/etcd.conf", - "flanneld": "/etc/sysconfig/flanneld", - } - - // Node - kubeNodeBin = map[string]string{ - "kubelet": "kubelet", - "proxy": "proxy", - } - - kubeNodeConf = map[string]string{ - "kubelet": "/etc/kubernetes/kubelet", - "proxy": "/etc/kubernetes/proxy", - } + // Master variables + apiserverBin = viper.GetString("installation." + installation + ".master.bin.apiserver") + apiserverConf = viper.GetString("installation." + installation + ".master.conf.apiserver") + schedulerBin = viper.GetString("installation." + installation + ".master.bin.scheduler") + schedulerConf = viper.GetString("installation." + installation + ".master.conf.scheduler") + controllerManagerBin = viper.GetString("installation." + installation + ".master.bin.controller-manager") + controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controler-manager") + config = viper.GetString("installation." + installation + ".config") + + etcdBin = viper.GetString("etcd.bin") + etcdConf = viper.GetString("etcd.conf") + flanneldBin = viper.GetString("flanneld.bin") + flanneldConf = viper.GetString("flanneld.conf") + + // Node variables + kubeletBin = viper.GetString("installation." + installation + ".node.bin.kubelet") + kubeletConf = viper.GetString("installation." + installation + ".node.conf.kubelet") + proxyBin = viper.GetString("installation." + installation + ".node.bin.proxy") + proxyConf = viper.GetString("installation." + installation + ".node.conf.proxy") - // Federated - kubeFederatedBin = map[string]string{ - "apiserver": "federation-apiserver", - "controller-manager": "federation-controller-manager", - } - - case "hyperkube": - // Master - kubeMasterBin = map[string]string{ - "apiserver": "hyperkube apiserver", - "scheduler": "hyperkube scheduler", - "controller-manager": "hyperkube controller-manager", - "etcd": "etcd", - "flanneld": "flanneld", - } - - kubeMasterConf = map[string]string{ - "apiserver": "/etc/kubernetes/apiserver", - "scheduler": "/etc/kubernetes/scheduler", - "controller-manager": "/etc/kubernetes/controller-manager", - "config": "/etc/kubernetes/config", - "etcd": "/etc/etcd/etcd.conf", - "flanneld": "/etc/sysconfig/flanneld", - } - - // Node - kubeNodeBin = map[string]string{ - "kubelet": "hyperkube kubelet", - "proxy": "hyperkube kube-proxy", - } - - kubeNodeConf = map[string]string{ - "kubelet": "/etc/kubernetes/kubelet", - "proxy": "/etc/kubernetes/proxy", - } - - // Federated - kubeFederatedBin = map[string]string{ - "apiserver": "federation-apiserver", - "controller-manager": "federation-controller-manager", - } - case "kubeadm": - // TODO: Complete config and binary file list for kubeadm. - - // Master - kubeMasterBin = map[string]string{ - "apiserver": "hyperkube", - "scheduler": "hyperkube", - "controller-manager": "hyperkube", - "etcd": "etcd", - "flanneld": "flanneld", - } - - kubeMasterConf = map[string]string{ - "apiserver": "/etc/kubernetes/admin.conf", - "scheduler": "/etc/kubernetes/scheduler.conf", - "controller-manager": "/etc/kubernetes/controller-manager.conf", - "config": "/etc/kubernetes/config", - "etcd": "/etc/etcd/etcd.conf", - "flanneld": "/etc/sysconfig/flanneld", - } - - // Node - kubeNodeBin = map[string]string{ - "kubelet": "hyperkube", - "proxy": "hyperkube", - } - - kubeNodeConf = map[string]string{ - "kubelet": "/etc/kubernetes/kubelet.conf", - "proxy": "/etc/kubernetes/proxy.conf", - } - - // Federated - kubeFederatedBin = map[string]string{ - "apiserver": "federation-apiserver", - "controller-manager": "federation-controller-manager", - } - } + // Federated + fedApiserverBin = viper.GetString("installation." + installation + ".federated.bin.apiserver") + fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager") // Run kubernetes installation validation checks. warns := verifyNodeType(t) @@ -193,32 +95,28 @@ func runChecks(t check.NodeType) { os.Exit(1) } - // Variable substitutions. Replace all occurrences of variables in controls file. - // Master - s := strings.Replace(string(in), "$kubeApiserver", kubeMasterBin["apiserver"], -1) - s = strings.Replace(s, "$apiserverConf", kubeMasterConf["apiserver"], -1) - - s = strings.Replace(s, "$kubeScheduler", kubeMasterBin["scheduler"], -1) - s = strings.Replace(s, "$schedulerConf", kubeMasterConf["scheduler"], -1) - - s = strings.Replace(s, "$kubeControllerManager", kubeMasterBin["controller-manager"], -1) - s = strings.Replace(s, "$controllerManagerConf", kubeMasterConf["controller-manager"], -1) + // Variable substitutions. Replace all occurrences of variables in controls files. + s := strings.Replace(string(in), "$apiserverbin", apiserverBin, -1) + s = strings.Replace(s, "$apiserverconf", apiserverConf, -1) + s = strings.Replace(s, "$schedulerbin", schedulerBin, -1) + s = strings.Replace(s, "$schedulerconf", schedulerConf, -1) + s = strings.Replace(s, "$controllermanagerbin", controllerManagerBin, -1) + s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1) + s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1) + s = strings.Replace(s, "$config", config, -1) - s = strings.Replace(s, "$etcd", kubeMasterBin["etcd"], -1) - s = strings.Replace(s, "$flanneld", kubeMasterBin["flanneld"], -1) + s = strings.Replace(s, "$etcdbin", etcdBin, -1) + s = strings.Replace(s, "$etcdconf", etcdConf, -1) + s = strings.Replace(s, "$flanneldbin", flanneldBin, -1) + s = strings.Replace(s, "$flanneldconf", flanneldConf, -1) - s = strings.Replace(s, "$kubeConfig", kubeMasterConf["config"], -1) - s = strings.Replace(s, "$etcdConf", kubeMasterConf["etcd"], -1) - s = strings.Replace(s, "$flanneldConf", kubeMasterConf["flanneld"], -1) + s = strings.Replace(s, "$kubeletbin", kubeletBin, -1) + s = strings.Replace(s, "$kubeletconf", kubeletConf, -1) + s = strings.Replace(s, "$proxybin", proxyBin, -1) + s = strings.Replace(s, "$proxyconf", proxyConf, -1) - // Node - s = strings.Replace(s, "$kubeletBin", kubeNodeBin["kubelet"], -1) - s = strings.Replace(s, "$kubeletConf", kubeNodeConf["kubelet"], -1) - s = strings.Replace(s, "$kubeProxyConf", kubeNodeConf["proxy"], -1) - - // Federated - s = strings.Replace(s, "$federationApiserver", kubeFederatedBin["apiserver"], -1) - s = strings.Replace(s, "$federationControllerManager", kubeFederatedBin["controller-manager"], -1) + s = strings.Replace(s, "$fedapiserverbin", fedApiserverBin, -1) + s = strings.Replace(s, "$fedcontrollermanagerbin", fedControllerManagerBin, -1) controls, err := check.NewControls(t, []byte(s)) if err != nil { @@ -253,20 +151,8 @@ func runChecks(t check.NodeType) { } } -func cleanIDs(list string) []string { - list = strings.Trim(list, ",") - ids := strings.Split(list, ",") - - for _, id := range ids { - id = strings.Trim(id, " ") - } - - return ids -} - // verifyNodeType checks the executables and config files are as expected // for the specified tests (master, node or federated). -// Any check failing here is a show stopper. func verifyNodeType(t check.NodeType) []string { var w []string // Always clear out error messages. @@ -274,18 +160,16 @@ func verifyNodeType(t check.NodeType) []string { switch t { case check.MASTER: - w = append(w, verifyBin(values(kubeMasterBin))...) - w = append(w, verifyConf(values(kubeMasterConf))...) - w = append(w, verifyKubeVersion(kubeMasterBin["apiserver"])...) + w = append(w, verifyBin(apiserverBin, schedulerBin, controllerManagerBin)...) + w = append(w, verifyConf(apiserverConf, schedulerConf, controllerManagerConf)...) + w = append(w, verifyKubeVersion(apiserverBin)...) case check.NODE: - w = append(w, verifyBin(values(kubeNodeBin))...) - w = append(w, verifyConf(values(kubeNodeConf))...) - w = append(w, verifyKubeVersion(kubeNodeBin["kubelet"])...) - /* - case check.FEDERATED: - w = append(w, verifyBin(kubeFederatedBin)...) - w = append(w, verifyKubeVersion(kubeFederatedBin[0])...) - */ + w = append(w, verifyBin(kubeletBin, proxyBin)...) + w = append(w, verifyConf(kubeletConf, proxyConf)...) + w = append(w, verifyKubeVersion(kubeletBin)...) + case check.FEDERATED: + w = append(w, verifyBin(fedApiserverBin, fedControllerManagerBin)...) + w = append(w, verifyKubeVersion(fedApiserverBin)...) } if verbose { @@ -347,73 +231,3 @@ func prettyPrint(warnings []string, r *check.Controls, summary check.Summary) { summary.Pass, summary.Fail, summary.Warn, ) } - -func verifyConf(confPath []string) []string { - var w []string - for _, c := range confPath { - if _, err := os.Stat(c); err != nil && os.IsNotExist(err) { - w = append(w, fmt.Sprintf("config file %s does not exist\n", c)) - } - } - - return w -} - -func verifyBin(binPath []string) []string { - var w []string - var binList string - - // Construct proc name for ps(1) - for _, b := range binPath { - binList += b + "," - } - binList = strings.Trim(binList, ",") - - // Run ps command - cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers") - out, err := cmd.Output() - errmsgs += handleError( - err, - fmt.Sprintf("verifyBin: %s failed", binList), - ) - - // Actual verification - for _, b := range binPath { - matched := strings.Contains(string(out), b) - - if !matched { - w = append(w, fmt.Sprintf("%s is not running\n", b)) - } - } - - return w -} - -func verifyKubeVersion(b string) []string { - // These executables might not be on the user's path. - // TODO! Check the version number using kubectl, which is more likely to be on the path. - var w []string - - // Check version - cmd := exec.Command(b, "--version") - out, err := cmd.Output() - errmsgs += handleError( - err, - fmt.Sprintf("verifyKubeVersion: failed\nCommand:%s", cmd.Args), - ) - - matched := strings.Contains(string(out), kubeVersion) - if !matched { - w = append(w, fmt.Sprintf("%s unsupported version\n", b)) - } - - return w -} - -// values returns the values in a string map. -func values(m map[string]string) (vals []string) { - for _, v := range m { - vals = append(vals, v) - } - return -} diff --git a/cmd/root.go b/cmd/root.go index dd42700..055e0c7 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -99,17 +99,11 @@ func initConfig() { viper.AutomaticEnv() // read in environment variables that match // Set defaults - viper.SetDefault("kubeConfDir", "/etc/kubernetes") - viper.SetDefault("etcdConfDir", "/etc/etcd") - viper.SetDefault("flanneldConfDir", "/etc/sysconfig") - - viper.SetDefault("masterFile", cfgDir+"/master.yaml") - viper.SetDefault("nodeFile", cfgDir+"/node.yaml") - viper.SetDefault("federatedFile", cfgDir+"/federated.yaml") // If a config file is found, read it in. if err := viper.ReadInConfig(); err != nil { colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err)) os.Exit(1) } + } diff --git a/cmd/util.go b/cmd/util.go new file mode 100644 index 0000000..5a01e0d --- /dev/null +++ b/cmd/util.go @@ -0,0 +1,101 @@ +package cmd + +import ( + "fmt" + "os" + "os/exec" + "strings" + + "github.com/aquasecurity/kube-bench/check" + "github.com/fatih/color" +) + +var ( + // Print colors + colors = map[check.State]*color.Color{ + check.PASS: color.New(color.FgGreen), + check.FAIL: color.New(color.FgRed), + check.WARN: color.New(color.FgYellow), + check.INFO: color.New(color.FgBlue), + } +) + +func handleError(err error, context string) (errmsg string) { + if err != nil { + errmsg = fmt.Sprintf("%s, error: %s\n", context, err) + } + return +} + +func cleanIDs(list string) []string { + list = strings.Trim(list, ",") + ids := strings.Split(list, ",") + + for _, id := range ids { + id = strings.Trim(id, " ") + } + + return ids +} + +func verifyConf(confPath ...string) []string { + var w []string + for _, c := range confPath { + if _, err := os.Stat(c); err != nil && os.IsNotExist(err) { + w = append(w, fmt.Sprintf("config file %s does not exist\n", c)) + } + } + + return w +} + +func verifyBin(binPath ...string) []string { + var w []string + var binList string + + // Construct proc name for ps(1) + for _, b := range binPath { + binList += b + "," + } + binList = strings.Trim(binList, ",") + + // Run ps command + cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers") + out, err := cmd.Output() + errmsgs += handleError( + err, + fmt.Sprintf("verifyBin: %s failed", binList), + ) + + // Actual verification + for _, b := range binPath { + matched := strings.Contains(string(out), b) + + if !matched { + w = append(w, fmt.Sprintf("%s is not running\n", b)) + } + } + + return w +} + +func verifyKubeVersion(b string) []string { + // These executables might not be on the user's path. + // TODO! Check the version number using kubectl, which is more likely to be on the path. + var w []string + + // Check version + cmd := exec.Command(b, "--version") + out, err := cmd.Output() + errmsgs += handleError( + err, + fmt.Sprintf("verifyKubeVersion: failed\nCommand:%s", cmd.Args), + ) + + matched := strings.Contains(string(out), kubeVersion) + if !matched { + w = append(w, fmt.Sprintf("%s unsupported version\n", b)) + } + + return w +}