From 64c6fa997e9a5fa5e8df6e3448f514a2fb854a28 Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Tue, 29 Aug 2017 15:50:09 +0000 Subject: [PATCH] Add initial support for multiple versions of kubernetes. --- .gitignore | 1 + cfg/{ => 1.6}/federated.yaml | 1 + cfg/1.6/master.yaml | 966 +++++++++++++++++++++++++++++++++++ cfg/1.6/node.yaml | 304 +++++++++++ cfg/1.7/federated.yaml | 285 +++++++++++ cfg/{ => 1.7}/master.yaml | 3 +- cfg/{ => 1.7}/node.yaml | 1 + check/controls.go | 9 +- check/controls_test.go | 32 +- cmd/common.go | 6 +- cmd/master.go | 2 +- cmd/util.go | 102 ++-- cmd/util_test.go | 58 +-- 13 files changed, 1652 insertions(+), 118 deletions(-) rename cfg/{ => 1.6}/federated.yaml (99%) create mode 100644 cfg/1.6/master.yaml create mode 100644 cfg/1.6/node.yaml create mode 100644 cfg/1.7/federated.yaml rename cfg/{ => 1.7}/master.yaml (99%) rename cfg/{ => 1.7}/node.yaml (99%) diff --git a/.gitignore b/.gitignore index d73d4b7..f9ded5e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ kube-bench *.swp +Dockerfile.dev diff --git a/cfg/federated.yaml b/cfg/1.6/federated.yaml similarity index 99% rename from cfg/federated.yaml rename to cfg/1.6/federated.yaml index fbff661..c0e1021 100644 --- a/cfg/federated.yaml +++ b/cfg/1.6/federated.yaml @@ -1,5 +1,6 @@ --- controls: +version: 1.6 id: 3 text: "Federated Deployments" type: "federated" diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml new file mode 100644 index 0000000..209f31d --- /dev/null +++ b/cfg/1.6/master.yaml @@ -0,0 +1,966 @@ +--- +controls: +version: 1.6 +id: 1 +text: "Master Node Security Configuration" +type: "master" +groups: +- id: 1.1 + text: "API Server" + checks: + - id: 1.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "allow-privileged" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set + the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\"" + scored: true + + - id: 1.1.2 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set + the KUBE_API_ARGS parameter to \"--anonymous-auth=false\"" + scored: true + + - id: 1.1.3 + text: "Ensure that the --basic-auth-file argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--basic-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for + authentication. Then, edit the $apiserverconf file on the master + node and remove the \"--basic-auth-file=\" argument from the + KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.4 + text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-allow-any-token" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.5 + text: "Ensure that the --kubelet-https argument is set to true (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--kubelet-https" + compare: + op: eq + value: true + set: true + - flag: "--kubelet-https" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --kubelet-https argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.6 + text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-bind-address" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter." + scored: true + + - id: 1.1.7 + text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $apiserverconf file on the master node and set + --insecure-port=0 in the KUBE_API_PORT parameter." + scored: true + + - id: 1.1.8 + text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--secure-port" + compare: + op: gt + value: 0 + set: true + - flag: "--secure-port" + set: false + remediation: "Edit the $apiserverconf file on the master node and either + remove the --secure-port argument from the KUBE_API_ARGS parameter or set + it to a different desired port." + scored: true + + - id: 1.1.9 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--profiling=false\"" + scored: true + + - id: 1.1.10 + text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--repair-malformed-updates" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\"" + scored: true + + - id: 1.1.11 + text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: nothave + value: AlwaysAdmit + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit" + scored: true + + - id: 1.1.12 + text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "AlwaysPullImages" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\"" + scored: true + + - id: 1.1.13 + text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "DenyEscalatingExec" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\"" + scored: true + + - id: 1.1.14 + text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "SecurityContextDeny" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\"" + scored: true + + - id: 1.1.15 + text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "admission-control" + compare: + op: has + value: "NamespaceLifecycle" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\"" + scored: true + + - id: 1.1.16 + text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-path" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-path=\"" + scored: true + + - id: 1.1.17 + text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxage" + compare: + op: gte + value: 30 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxage=30\"" + scored: true + + - id: 1.1.18 + text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxbackup" + compare: + op: gte + value: 10 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\"" + scored: true + + - id: 1.1.19 + text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxsize" + compare: + op: gte + value: 100 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\"" + scored: true + + - id: 1.1.20 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\"" + scored: true + + - id: 1.1.21 + text: "Ensure that the --token-auth-file parameter is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--token-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the $apiserverconf file on the master node and remove the + \"--tokenauth-file=\" argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.22 + text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--kubelet-certificate-authority" + set: true + remediation: "Follow the Kubernetes documentation and setup the TLS connection between + the apiserver and kubelets. Then, edit the $apiserverconf file on the + master node and set the KUBE_API_ARGS parameter to + \"--kubelet-certificate-authority=\"" + scored: true + + - id: 1.1.23 + text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--kubelet-client-certificate" + set: true + - flag: "--kubelet-client-key" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and kubelets. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=\" + and \"--kubelet-clientkey=\"" + scored: true + + - id: 1.1.24 + text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-lookup" + compare: + op: eq + value: true + set: true + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter + to \"--service-account-lookup=true\"" + scored: true + + - id: 1.1.25 + text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "PodSecurityPolicy" + set: true + remediation: "Follow the documentation and create Pod Security Policy objects as per your environment. + Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL + parameter to \"--admission-control=...,PodSecurityPolicy,...\"" + scored: true + + - id: 1.1.26 + text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-key-file" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to \"--service-account-key-file=\"" + scored: true + + - id: 1.1.27 + text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--etcd-certfile" + set: true + - flag: "--etcd-keyfile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and etcd. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--etcd-certfile=\" + and \"--etcd-keyfile=\"" + scored: true + + - id: 1.1.28 + text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "ServiceAccount" + set: true + remediation: "Follow the documentation and create ServiceAccount objects as per your environment. + Then, edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\"" + scored: true + + - id: 1.1.29 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. + Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to + include \"--tls-cert-file=\" and + \"--tls-private-key-file=\"" + scored: true + + - id: 1.1.30 + text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--client-ca-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. + Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--client-ca-file=\"" + scored: true + + - id: 1.1.31 + text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--etcd-cafile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and etcd. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--etcd-cafile=\"" + scored: true + +- id: 1.2 + text: "Scheduler" + checks: + - id: 1.2.1 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $schedulerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS + parameter to \"--profiling=false\"" + scored: true + +- id: 1.3 + text: "Controller Manager" + checks: + - id: 1.3.1 + text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--terminated-pod-gc-threshold" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=\"" + scored: true + + - id: 1.3.2 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\"" + scored: true + + - id: 1.3.3 + text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group" + set: false + remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and remove the + --insecure-experimental-approve-all-kubelet-csrs-for-group argument from the + KUBE_CONTROLLER_MANAGER_ARGS parameter." + scored: true + + - id: 1.3.4 + text: "Ensure that the --use-service-account-credentials argument is set" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--use-service-account-credentials" + compare: + op: eq + value: true + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true" + scored: true + + - id: 1.3.5 + text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-private-key-file" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=" + scored: true + + - id: 1.3.6 + text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--root-ca-file" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=" + scored: true + +- id: 1.4 + text: "Configure Files" + checks: + - id: 1.4.1 + text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" + # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $apiserverconf" + scored: true + + - id: 1.4.2 + text: "Ensure that the apiserver file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $apiserverconf" + scored: true + + - id: 1.4.3 + text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $config" + scored: true + + - id: 1.4.4 + text: "Ensure that the config file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $config" + scored: true + + - id: 1.4.5 + text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $schedulerconf" + scored: true + + - id: 1.4.6 + text: "Ensure that the scheduler file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $schedulerconf" + scored: true + + - id: 1.4.7 + text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $etcdconf" + scored: true + + - id: 1.4.8 + text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $etcdconf" + scored: true + + - id: 1.4.9 + text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $flanneldconf" + scored: true + + - id: 1.4.10 + text: "Ensure that the flanneld file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $flanneldconf" + scored: true + + - id: 1.4.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command:\n + ps -ef | grep $etcdbin\n + Run the below command (based on the etcd data directory found above). For example,\n + chmod 700 /var/lib/etcd/default.etcd" + scored: true + + - id: 1.4.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command:\n + ps -ef | grep etcd\n + Run the below command (based on the etcd data directory found above). For example,\n + chown etcd:etcd /var/lib/etcd/default.etcd" + scored: true + +- id: 1.5 + text: "etcd" + checks: + - id: 1.5.1 + text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--cert-file" + set: true + - flag: "--key-file" + set: true + remediation: "Follow the etcd service documentation and configure TLS encryption." + scored: true + + - id: 1.5.2 + text: "Ensure that the --client-cert-auth argument is set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--client-cert-auth" + compare: + op: eq + value: true + set: true + remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the + etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\". + Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) + and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\"" + scored: true + + - id: 1.5.3 + text: "Ensure that the --auto-tls argument is not set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--auto-tls" + set: false + - flag: "--auto-tls" + compare: + op: neq + value: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server + node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter + for --auto-tls." + scored: true + + - id: 1.5.4 + text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--peer-cert-file" + set: true + - flag: "--peer-key-file" + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only + one etcd server in your environment then this recommendation is not applicable. + Follow the etcd service documentation and configure peer TLS encryption as appropriate for + your etcd cluster." + scored: true + + - id: 1.5.5 + text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--peer-client-cert-auth" + compare: + op: eq + value: true + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only + one etcd server in your environment then this recommendation is not applicable. + Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file + (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the + startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\"" + scored: true + + - id: 1.5.6 + text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--peer-auto-tls" + set: false + - flag: "--peer-auto-tls" + compare: + op: eq + value: false + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. + If you are using only one etcd server in your environment then this recommendation is + not applicable. Edit the etcd environment file (for example, $etcdconf) + on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter. + Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) + and remove the startup parameter for --peer-auto-tls." + scored: true + + - id: 1.5.7 + text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--wal-dir" + set: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for + --wal-dir and set it to \"${ETCD_WAL_DIR}\"" + scored: true + + - id: 1.5.8 + text: "Ensure that the --max-wals argument is set to 0 (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--max-wals" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter + for --max-wals and set it to \"${ETCD_MAX_WALS}\"." + scored: true + + - id: 1.5.9 + text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--trusted-ca-file" + set: true + remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the + etcd service." + scored: false + +- id: 1.6 + text: "General Security Primitives" + checks: + - id: 1.6.1 + text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + type: "manual" + remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" + scored: false + + - id: 1.6.2 + text: "Create Pod Security Policies for your cluster (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. + Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the + suggested Pod Security Policies for your environment." + scored: false + + - id: 1.6.3 + text: "Create administrative boundaries between resources using namespaces (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create namespaces for objects in your deployment as you + need them." + scored: false + + - id: 1.6.4 + text: "Create network segmentation using Network Policies (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create NetworkPolicy objects as you need them." + scored: false + + - id: 1.6.5 + text: "Avoid using Kubernetes Secrets (Not Scored)" + type: "manual" + remediation: "Use other mechanisms such as vaults to manage your cluster secrets." + scored: false + + + - id: 1.6.6 + text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" + type: "manual" + remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you + would need to enable alpha features in the apiserver by passing \"--feature- + gates=AllAlpha=true\" argument.\n + Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to \"--feature-gates=AllAlpha=true\" + KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" + scored: false + + - id: 1.6.7 + text: "Apply Security Context to Your Pods and Containers (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a + suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker + Containers." + scored: false + + - id: 1.6.8 + text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and setup image provenance." + scored: false diff --git a/cfg/1.6/node.yaml b/cfg/1.6/node.yaml new file mode 100644 index 0000000..9344724 --- /dev/null +++ b/cfg/1.6/node.yaml @@ -0,0 +1,304 @@ +--- +controls: +version: 1.6 +id: 2 +text: "Worker Node Security Configuration" +type: "node" +groups: +- id: 2.1 + text: "Kubelet" + checks: + - id: 2.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--allow-privileged" + compare: + op: eq + value: false + set: true + remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV + parameter to \"--allow-privileged=false\"" + scored: true + + - id: 2.1.2 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the $kubeletconf file on the master node and set the + KUBELET_ARGS parameter to \"--anonymous-auth=false\"" + scored: true + + - id: 2.1.3 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the $kubeletconf file on each node and set the + KUBELET_ARGS parameter to \"--authorization-mode=Webhook\"" + scored: true + + - id: 2.1.4 + text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--client-ca-file" + set: true + remediation: "Follow the Kubernetes documentation and setup the TLS connection between + the apiserver and kubelets. Then, edit the $kubeletconf file on each node + and set the KUBELET_ARGS parameter to \"--client-ca-file=\"" + scored: true + + - id: 2.1.5 + text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--read-only-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--read-only-port=0\"" + scored: true + + - id: 2.1.6 + text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--streaming-connection-idle-timeout" + compare: + op: gt + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--streaming-connection-idle-timeout=\"" + scored: true + + - id: 2.1.7 + text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--protect-kernel-defaults" + compare: + op: eq + value: true + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--protect-kernel-defaults=true\"" + scored: true + + - id: 2.1.8 + text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--make-iptables-util-chains" + compare: + op: eq + value: true + set: true + - flag: "--make-iptables-util-chains" + set: false + remediation: "Edit the $kubeletconf file on each node and remove the + --make-iptables-util-chains argument from the KUBELET_ARGS parameter." + scored: true + + - id: 2.1.9 + text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--keep-terminated-pod-volumes" + compare: + op: eq + value: false + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--keep-terminated-pod-volumes=false\"" + scored: true + + - id: 2.1.10 + text: "Ensure that the --hostname-override argument is not set (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--hostname-override" + set: false + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME + parameter to \"\"" + scored: true + + - id: 2.1.11 + text: "Ensure that the --event-qps argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--event-qps" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--event-qps=0\"" + scored: true + + - id: 2.1.12 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. + Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS + parameter to include \"--tls-cert-file=\" and + \"--tls-private-key-file=\"" + scored: true + + - id: 2.1.13 + text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--cadvisor-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter + to \"--cadvisor-port=0\"" + scored: true + +- id: 2.2 + text: "Configuration Files" + checks: + - id: 2.2.1 + text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $config" + scored: true + + - id: 2.2.2 + text: "Ensure that the config file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $config" + scored: true + + - id: 2.2.3 + text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: 644 + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $kubeletconf" + scored: true + + - id: 2.2.4 + text: "Ensure that the kubelet file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" + tests: + test_items: + - flag: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $kubeletconf" + scored: true + + - id: 2.2.5 + text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $proxyconf" + scored: true + + - id: 2.2.6 + text: "Ensure that the proxy file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" + tests: + test_items: + - flag: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $proxyconf" + scored: true diff --git a/cfg/1.7/federated.yaml b/cfg/1.7/federated.yaml new file mode 100644 index 0000000..0c27dc1 --- /dev/null +++ b/cfg/1.7/federated.yaml @@ -0,0 +1,285 @@ +--- +controls: +version: 1.7 +id: 3 +text: "Federated Deployments" +type: "federated" +groups: +- id: 3.1 + text: "Federation API Server" + checks: + - id: 3.1.1 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set --anonymous-auth=false.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.2 + text: "Ensure that the --basic-auth-file argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--basic-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the deployment specs and remove \"--basic-auth-file=\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.3 + text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-allow-any-token" + set: false + remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.4 + text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-bind-address" + set: false + remediation: "Edit the deployment specs and remove --insecure-bind-address.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.5 + text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the deployment specs and set --insecure-port=0.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.6 + text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--secure-port" + compare: + op: gt + value: 0 + set: true + - flag: "--secure-port" + set: false + remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.7 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set \"--profiling=false\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + score: true + + - id: 3.1.8 + text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: nothave + value: AlwaysAdmit + set: true + remediation: "Edit the deployment specs and set --admission-control argument to a value that does + not include AlwaysAdmit.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.9 + text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "admission-control" + compare: + op: has + value: "NamespaceLifecycle" + set: true + remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.10 + text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-path" + set: true + remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.11 + text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxage" + compare: + op: gte + value: 30 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.12 + text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxbackup" + compare: + op: gte + value: 10 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.13 + text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxsize" + compare: + op: gte + value: 100 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.14 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.15 + text: "Ensure that the --token-auth-file parameter is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--token-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the deployment specs and remove the --token-auth-file= argument.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.16 + text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-lookup" + compare: + op: eq + value: true + set: true + remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.17 + text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-key-file" + set: true + remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.18 + text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--etcd-certfile" + set: true + - flag: "--etcd-keyfile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the + federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd- + certfile=\" and \"--etcd- + keyfile=\" arguments.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.19 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation + apiserver. Then, edit the deployment specs and set \"--tls-cert-file=\" and \"--tls-private-key-file=\" : + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + +- id: 3.2 + text: "Federation Controller Manager" + checks: + - id: 3.2.1 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set \"--profiling=false\".\n + kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system" + scored: true diff --git a/cfg/master.yaml b/cfg/1.7/master.yaml similarity index 99% rename from cfg/master.yaml rename to cfg/1.7/master.yaml index f54bf6a..ee80843 100644 --- a/cfg/master.yaml +++ b/cfg/1.7/master.yaml @@ -1,5 +1,6 @@ --- controls: +version: 1.7 id: 1 text: "Master Node Security Configuration" type: "master" @@ -310,7 +311,7 @@ groups: scored: true - id: 1.1.23 - text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" + text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" tests: bin_op: and diff --git a/cfg/node.yaml b/cfg/1.7/node.yaml similarity index 99% rename from cfg/node.yaml rename to cfg/1.7/node.yaml index dfff376..b70e925 100644 --- a/cfg/node.yaml +++ b/cfg/1.7/node.yaml @@ -1,5 +1,6 @@ --- controls: +version: 1.7 id: 2 text: "Worker Node Security Configuration" type: "node" diff --git a/check/controls.go b/check/controls.go index dfea006..8660e81 100644 --- a/check/controls.go +++ b/check/controls.go @@ -23,10 +23,11 @@ import ( // Controls holds all controls to check for master nodes. type Controls struct { - ID string `yaml:"id"` - Text string - Type NodeType - Groups []*Group + ID string `yaml:"id"` + Version string + Text string + Type NodeType + Groups []*Group Summary } diff --git a/check/controls_test.go b/check/controls_test.go index ef9b1f4..0f0bcc7 100644 --- a/check/controls_test.go +++ b/check/controls_test.go @@ -11,22 +11,30 @@ const cfgDir = "../cfg/" // validate that the files we're shipping are valid YAML func TestYamlFiles(t *testing.T) { - files, err := ioutil.ReadDir(cfgDir) - if err != nil { - t.Fatalf("error reading %s directory: %v", cfgDir, err) - } - for _, file := range files { - fileName := file.Name() - in, err := ioutil.ReadFile(cfgDir + fileName) + dirs := []string{"1.6/", "1.7/"} + + for _, dir := range dirs { + dir = cfgDir + dir + + files, err := ioutil.ReadDir(dir) if err != nil { - t.Fatalf("error opening file %s: %v", fileName, err) + t.Fatalf("error reading %s directory: %v", dir, err) } - c := new(Controls) + for _, file := range files { - err = yaml.Unmarshal(in, c) - if err != nil { - t.Fatalf("failed to load YAML from %s: %v", fileName, err) + fileName := file.Name() + in, err := ioutil.ReadFile(dir + fileName) + if err != nil { + t.Fatalf("error opening file %s: %v", fileName, err) + } + + c := new(Controls) + + err = yaml.Unmarshal(in, c) + if err != nil { + t.Fatalf("failed to load YAML from %s: %v", fileName, err) + } } } } diff --git a/cmd/common.go b/cmd/common.go index 89f45bc..5ad8d93 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -78,7 +78,7 @@ func runChecks(t check.NodeType) { fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager") // Run kubernetes installation validation checks. - verifyKubeVersion(kubeMajorVersion, kubeMinorVersion) + // verifyKubeVersion(kubeMajorVersion, kubeMinorVersion) verifyNodeType(t) switch t { @@ -90,7 +90,9 @@ func runChecks(t check.NodeType) { file = federatedFile } - in, err := ioutil.ReadFile(file) + ver := getKubeVersion() + path := fmt.Sprintf("%s/%s/%s", cfgDir, ver.Server, file) + in, err := ioutil.ReadFile(path) if err != nil { exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err)) } diff --git a/cmd/master.go b/cmd/master.go index b702615..1659d38 100644 --- a/cmd/master.go +++ b/cmd/master.go @@ -33,7 +33,7 @@ func init() { masterCmd.PersistentFlags().StringVarP(&masterFile, "file", "f", - cfgDir+"/master.yaml", + "/master.yaml", "Alternative YAML file for master checks", ) diff --git a/cmd/util.go b/cmd/util.go index 478ae21..8353fe5 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -2,6 +2,7 @@ package cmd import ( "fmt" + "log" "os" "os/exec" "regexp" @@ -90,66 +91,75 @@ func verifyBin(bin string, psFunc func(string) string) bool { return strings.Contains(out, bin) } -func verifyKubeVersion(major string, minor string) { - // These executables might not be on the user's path. +type version struct { + Server string + Client string +} +// func verifyKubeVersion(major string, minor string) { +func getKubeVersion() version { + var ver version + // These executables might not be on the user's path. _, err := exec.LookPath("kubectl") if err != nil { - continueWithError(err, sprintlnWarn("Kubernetes version check skipped")) - return + // continueWithError(err, sprintlnWarn("Kubernetes version check skipped")) + // return + log.Fatal(err) } cmd := exec.Command("kubectl", "version") out, err := cmd.Output() if err != nil { - s := fmt.Sprintf("Kubernetes version check skipped with error %v", err) - continueWithError(err, sprintlnWarn(s)) - if len(out) == 0 { - return - } + // s := fmt.Sprintf("Kubernetes version check skipped with error %v", err) + // continueWithError(err, sprintlnWarn(s)) + // if len(out) == 0 { + // return + // } + log.Fatal(err) } - msg := checkVersion("Client", string(out), major, minor) - if msg != "" { - continueWithError(fmt.Errorf(msg), msg) - } + clientVerRe := regexp.MustCompile(`Client.*Major:"(\d+)".*Minor:"(\d+)"`) + svrVerRe := regexp.MustCompile(`Server.*Major:"(\d+)".*Minor:"(\d+)"`) - msg = checkVersion("Server", string(out), major, minor) - if msg != "" { - continueWithError(fmt.Errorf(msg), msg) - } + sub := clientVerRe.FindStringSubmatch(string(out)) + ver.Client = sub[1] + "." + sub[2] + + sub = svrVerRe.FindStringSubmatch(string(out)) + ver.Server = sub[1] + "." + sub[2] + + return ver } -var regexVersionMajor = regexp.MustCompile("Major:\"([0-9]+)\"") -var regexVersionMinor = regexp.MustCompile("Minor:\"([0-9]+)\"") +// var regexVersionMajor = regexp.MustCompile("Major:\"([0-9]+)\"") +// var regexVersionMinor = regexp.MustCompile("Minor:\"([0-9]+)\"") -func checkVersion(x string, s string, expMajor string, expMinor string) string { - regexVersion, err := regexp.Compile(x + " Version: version.Info{(.*)}") - if err != nil { - return fmt.Sprintf("Error checking Kubernetes version: %v", err) - } - - ss := regexVersion.FindString(s) - major := versionMatch(regexVersionMajor, ss) - minor := versionMatch(regexVersionMinor, ss) - if major == "" || minor == "" { - return fmt.Sprintf("Couldn't find %s version from kubectl output '%s'", x, s) - } - - if major != expMajor || minor != expMinor { - return fmt.Sprintf("Unexpected %s version %s.%s", x, major, minor) - } - - return "" -} - -func versionMatch(r *regexp.Regexp, s string) string { - match := r.FindStringSubmatch(s) - if len(match) < 2 { - return "" - } - return match[1] -} +// func checkVersion(x string, s string, expMajor string, expMinor string) string { +// regexVersion, err := regexp.Compile(x + " Version: version.Info{(.*)}") +// if err != nil { +// return fmt.Sprintf("Error checking Kubernetes version: %v", err) +// } +// +// ss := regexVersion.FindString(s) +// major := versionMatch(regexVersionMajor, ss) +// minor := versionMatch(regexVersionMinor, ss) +// if major == "" || minor == "" { +// return fmt.Sprintf("Couldn't find %s version from kubectl output '%s'", x, s) +// } +// +// if major != expMajor || minor != expMinor { +// return fmt.Sprintf("Unexpected %s version %s.%s", x, major, minor) +// } +// +// return "" +// } +// +// func versionMatch(r *regexp.Regexp, s string) string { +// match := r.FindStringSubmatch(s) +// if len(match) < 2 { +// return "" +// } +// return match[1] +// } func multiWordReplace(s string, subname string, sub string) string { f := strings.Fields(sub) diff --git a/cmd/util_test.go b/cmd/util_test.go index dbd434b..2904e4b 100644 --- a/cmd/util_test.go +++ b/cmd/util_test.go @@ -20,60 +20,14 @@ import ( "testing" ) -func TestCheckVersion(t *testing.T) { - kubeoutput := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"} - Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}` - cases := []struct { - t string - s string - major string - minor string - exp string - }{ - {t: "Client", s: kubeoutput, major: "1", minor: "7"}, - {t: "Server", s: kubeoutput, major: "1", minor: "7"}, - {t: "Client", s: kubeoutput, major: "1", minor: "6", exp: "Unexpected Client version 1.7"}, - {t: "Client", s: kubeoutput, major: "2", minor: "0", exp: "Unexpected Client version 1.7"}, - {t: "Server", s: "something unexpected", major: "2", minor: "0", exp: "Couldn't find Server version from kubectl output 'something unexpected'"}, +func TestGetKubeVersion(t *testing.T) { + ver := getKubeVersion() + if ok, err := regexp.MatchString(`\d+.\d+`, ver.Client); !ok && err != nil { + t.Errorf("Expected:%v got %v\n", "n.m", ver.Client) } - for id, c := range cases { - t.Run(strconv.Itoa(id), func(t *testing.T) { - m := checkVersion(c.t, c.s, c.major, c.minor) - if m != c.exp { - t.Fatalf("Got: %s, expected: %s", m, c.exp) - } - }) - } - -} - -func TestVersionMatch(t *testing.T) { - minor := regexVersionMinor - major := regexVersionMajor - client := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}` - server := `Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}` - - cases := []struct { - r *regexp.Regexp - s string - exp string - }{ - {r: major, s: server, exp: "1"}, - {r: minor, s: server, exp: "7"}, - {r: major, s: client, exp: "1"}, - {r: minor, s: client, exp: "7"}, - {r: major, s: "Some unexpected string"}, - {r: minor}, // Checking that we don't fall over if the string is empty - } - - for id, c := range cases { - t.Run(strconv.Itoa(id), func(t *testing.T) { - m := versionMatch(c.r, c.s) - if m != c.exp { - t.Fatalf("Got %s expected %s", m, c.exp) - } - }) + if ok, err := regexp.MatchString(`\d+.\d+`, ver.Server); !ok && err != nil { + t.Errorf("Expected:%v got %v\n", "n.m", ver.Server) } }