1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00

Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)

* Update eks-1.0 to support CIS EKS Benchmark v1.0.1

* add "No remediation"

* rename eks-1.0 to eks-1.0.1

Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
Huang Huang 2021-11-18 16:42:53 +08:00 committed by GitHub
parent f8e0171c09
commit 6589eb16e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 107 additions and 198 deletions

View File

@ -244,7 +244,7 @@ version_mapping:
"1.18": "cis-1.6" "1.18": "cis-1.6"
"1.19": "cis-1.20" "1.19": "cis-1.20"
"1.20": "cis-1.20" "1.20": "cis-1.20"
"eks-1.0": "eks-1.0" "eks-1.0.1": "eks-1.0.1"
"gke-1.0": "gke-1.0" "gke-1.0": "gke-1.0"
"ocp-3.10": "rh-0.7" "ocp-3.10": "rh-0.7"
"ocp-3.11": "rh-0.7" "ocp-3.11": "rh-0.7"
@ -278,7 +278,7 @@ target_mapping:
- "etcd" - "etcd"
- "policies" - "policies"
- "managedservices" - "managedservices"
"eks-1.0": "eks-1.0.1":
- "master" - "master"
- "node" - "node"
- "controlplane" - "controlplane"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: "eks-1.0" version: "eks-1.0.1"
id: 2 id: 2
text: "Control Plane Configuration" text: "Control Plane Configuration"
type: "controlplane" type: "controlplane"
@ -9,6 +9,6 @@ groups:
text: "Logging" text: "Logging"
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Enable audit logs" text: "Enable audit logs (Manual)"
remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler." remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
scored: false scored: false

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: "eks-1.0" version: "eks-1.0.1"
id: 5 id: 5
text: "Managed Services" text: "Managed Services"
type: "managedservices" type: "managedservices"
@ -9,78 +9,78 @@ groups:
text: "Image Registry and Image Scanning" text: "Image Registry and Image Scanning"
checks: checks:
- id: 5.1.1 - id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)" text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.1.2 - id: 5.1.2
text: "Minimize user access to Amazon ECR (Not Scored)" text: "Minimize user access to Amazon ECR (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.1.3 - id: 5.1.3
text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)" text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.1.4 - id: 5.1.4
text: "Minimize Container Registries to only those approved (Not Scored)" text: "Minimize Container Registries to only those approved (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.2 - id: 5.2
text: "Identity and Access Management (IAM)" text: "Identity and Access Management (IAM)"
checks: checks:
- id: 5.2.1 - id: 5.2.1
text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)" text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.3 - id: 5.3
text: "AWS Key Management Service (AWS KMS)" text: "AWS Key Management Service (KMS)"
checks: checks:
- id: 5.3.1 - id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)" text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.4 - id: 5.4
text: "Cluster Networking" text: "Cluster Networking"
checks: checks:
- id: 5.4.1 - id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Not Scored)" text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.4.2 - id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)" text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.4.3 - id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Not Scored)" text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.4.4 - id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)" text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
- id: 5.4.5 - id: 5.4.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)" text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
@ -88,9 +88,9 @@ groups:
text: "Authentication and Authorization" text: "Authentication and Authorization"
checks: checks:
- id: 5.5.1 - id: 5.5.1
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)" text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false
@ -98,7 +98,7 @@ groups:
text: "Other Cluster Configurations" text: "Other Cluster Configurations"
checks: checks:
- id: 5.6.1 - id: 5.6.1
text: "Consider Fargate for running untrusted workloads (Not Scored)" text: "Consider Fargate for running untrusted workloads (Manual)"
type: "manual" type: "manual"
remediation: remediation: "No remediation"
scored: false scored: false

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: "eks-1.0" version: "eks-1.0.1"
id: 1 id: 1
text: "Control Plane Components" text: "Control Plane Components"
type: "master" type: "master"

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: "eks-1.0" version: "eks-1.0.1"
id: 3 id: 3
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"
@ -9,127 +9,62 @@ groups:
text: "Worker Node Configuration Files" text: "Worker Node Configuration Files"
checks: checks:
- id: 3.1.1 - id: 3.1.1
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "permissions"
compare: compare:
op: eq op: bitmask
value: "644" value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: | remediation: |
Run the below command (based on the file location on your system) on each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
chmod 644 $proxykubeconfig chmod 644 $kubeletkubeconfig
scored: true scored: false
- id: 3.1.2 - id: 3.1.2
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example,
scored: true chown root:root $kubeletkubeconfig
scored: false
- id: 3.1.3 - id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: "644" - flag: "permissions"
set: true
compare: compare:
op: eq op: bitmask
value: "644" value: "644"
- flag: "640"
set: true
compare:
op: eq
value: "640"
- flag: "600"
set: true
compare:
op: eq
value: "600"
- flag: "444"
compare:
op: eq
value: "444"
set: true
- flag: "440"
compare:
op: eq
value: "440"
set: true
- flag: "400"
compare:
op: eq
value: "400"
set: true
- flag: "000"
compare:
op: eq
value: "000"
set: true
bin_op: or
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf chmod 644 $kubeletconf
scored: true scored: false
- id: 3.1.4 - id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)" text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' ' audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests: tests:
test_items: test_items:
- flag: root:root - flag: root:root
set: true
remediation: | remediation: |
Run the following command (using the config file location identied in the Audit step) Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf chown root:root $kubeletconf
scored: true scored: false
- id: 3.2 - id: 3.2
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 3.2.1 - id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -153,7 +88,7 @@ groups:
scored: true scored: true
- id: 3.2.2 - id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -176,7 +111,7 @@ groups:
scored: true scored: true
- id: 3.2.3 - id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -194,10 +129,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 3.2.4 - id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -217,10 +152,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 3.2.5 - id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -245,10 +180,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 3.2.6 - id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -271,7 +206,7 @@ groups:
scored: true scored: true
- id: 3.2.7 - id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) " text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -298,7 +233,7 @@ groups:
scored: true scored: true
- id: 3.2.8 - id: 3.2.8
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument. # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
@ -314,10 +249,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 3.2.9 - id: 3.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)" text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -339,7 +274,7 @@ groups:
scored: false scored: false
- id: 3.2.10 - id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -364,10 +299,10 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 3.2.11 - id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
@ -385,4 +320,4 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false

View File

@ -1,6 +1,6 @@
--- ---
controls: controls:
version: "eks-1.0" version: "eks-1.0.1"
id: 4 id: 4
text: "Policies" text: "Policies"
type: "policies" type: "policies"
@ -9,7 +9,7 @@ groups:
text: "RBAC and Service Accounts" text: "RBAC and Service Accounts"
checks: checks:
- id: 4.1.1 - id: 4.1.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
@ -20,14 +20,14 @@ groups:
scored: false scored: false
- id: 4.1.2 - id: 4.1.2
text: "Minimize access to secrets (Not Scored)" text: "Minimize access to secrets (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster. Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false scored: false
- id: 4.1.3 - id: 4.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)" text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific Where possible replace any use of wildcards in clusterroles and roles with specific
@ -35,14 +35,14 @@ groups:
scored: false scored: false
- id: 4.1.4 - id: 4.1.4
text: "Minimize access to create pods (Not Scored)" text: "Minimize access to create pods (Manual)"
type: "manual" type: "manual"
Remediation: | Remediation: |
Where possible, remove create access to pod objects in the cluster. Where possible, remove create access to pod objects in the cluster.
scored: false scored: false
- id: 4.1.5 - id: 4.1.5
text: "Ensure that default service accounts are not actively used. (Not Scored)" text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access Create explicit service accounts wherever a Kubernetes workload requires specific access
@ -52,7 +52,7 @@ groups:
scored: false scored: false
- id: 4.1.6 - id: 4.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)" text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Modify the definition of pods and service accounts which do not need to mount service Modify the definition of pods and service accounts which do not need to mount service
@ -63,7 +63,7 @@ groups:
text: "Pod Security Policies" text: "Pod Security Policies"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Minimize the admission of privileged containers (Not Scored)" text: "Minimize the admission of privileged containers (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that Create a PSP as described in the Kubernetes documentation, ensuring that
@ -71,7 +71,7 @@ groups:
scored: false scored: false
- id: 4.2.2 - id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -79,7 +79,7 @@ groups:
scored: false scored: false
- id: 4.2.3 - id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -87,7 +87,7 @@ groups:
scored: false scored: false
- id: 4.2.4 - id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)" text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -95,7 +95,7 @@ groups:
scored: false scored: false
- id: 4.2.5 - id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -103,7 +103,7 @@ groups:
scored: false scored: false
- id: 4.2.6 - id: 4.2.6
text: "Minimize the admission of root containers (Not Scored)" text: "Minimize the admission of root containers (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -112,7 +112,7 @@ groups:
scored: false scored: false
- id: 4.2.7 - id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)" text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the Create a PSP as described in the Kubernetes documentation, ensuring that the
@ -120,7 +120,7 @@ groups:
scored: false scored: false
- id: 4.2.8 - id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Not Scored)" text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless Ensure that allowedCapabilities is not present in PSPs for the cluster unless
@ -128,7 +128,7 @@ groups:
scored: false scored: false
- id: 4.2.9 - id: 4.2.9
text: "Minimize the admission of containers with capabilities assigned (Not Scored)" text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace Review the use of capabilities in applications running on your cluster. Where a namespace
@ -140,14 +140,14 @@ groups:
text: "CNI Plugin" text: "CNI Plugin"
checks: checks:
- id: 4.3.1 - id: 4.3.1
text: "Ensure that the latest CNI version is used (Not Scored)" text: "Ensure that the latest CNI version is used (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used. Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
scored: false scored: false
- id: 4.3.2 - id: 4.3.2
text: "Ensure that all Namespaces have Network Policies defined (Not Scored)" text: "Ensure that all Namespaces have Network Policies defined (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
@ -157,7 +157,7 @@ groups:
text: "Secrets Management" text: "Secrets Management"
checks: checks:
- id: 4.4.1 - id: 4.4.1
text: "Prefer using secrets as files over secrets as environment variables (Not Scored)" text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
If possible, rewrite application code to read secrets from mounted secret files, rather than If possible, rewrite application code to read secrets from mounted secret files, rather than
@ -165,7 +165,7 @@ groups:
scored: false scored: false
- id: 4.4.2 - id: 4.4.2
text: "Consider external secret storage (Not Scored)" text: "Consider external secret storage (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party Refer to the secrets management options offered by your cloud provider or a third-party
@ -176,7 +176,7 @@ groups:
text: "Extensible Admission Control" text: "Extensible Admission Control"
checks: checks:
- id: 4.5.1 - id: 4.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
@ -186,7 +186,7 @@ groups:
text: "General Policies" text: "General Policies"
checks: checks:
- id: 4.6.1 - id: 4.6.1
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need Follow the documentation and create namespaces for objects in your deployment as you need
@ -194,33 +194,7 @@ groups:
scored: false scored: false
- id: 4.6.2 - id: 4.6.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on your system, restart the kube-apiserver service. For example:
systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in your pod definitions. An
example is as below:
apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest
scored: false
- id: 4.6.3
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
@ -228,8 +202,8 @@ groups:
Containers. Containers.
scored: false scored: false
- id: 4.6.4 - id: 4.6.3
text: "The default namespace should not be used (Not Scored)" text: "The default namespace should not be used (Automated)"
type: "manual" type: "manual"
remediation: | remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes Ensure that namespaces are created to allow for appropriate segregation of Kubernetes

View File

@ -438,8 +438,8 @@ func TestValidTargets(t *testing.T) {
expected: true, expected: true,
}, },
{ {
name: "eks-1.0 valid", name: "eks-1.0.1 valid",
benchmark: "eks-1.0", benchmark: "eks-1.0.1",
targets: []string{"node", "policies", "controlplane", "managedservices"}, targets: []string{"node", "policies", "controlplane", "managedservices"},
expected: true, expected: true,
}, },

View File

@ -455,7 +455,7 @@ func getPlatformBenchmarkVersion(platform string) string {
glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform) glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
switch platform { switch platform {
case "eks": case "eks":
return "eks-1.0" return "eks-1.0.1"
case "gke": case "gke":
return "gke-1.0" return "gke-1.0"
case "aliyun": case "aliyun":

View File

@ -578,7 +578,7 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
args: args{ args: args{
platform: "eks", platform: "eks",
}, },
want: "eks-1.0", want: "eks-1.0.1",
}, },
{ {
name: "gke", name: "gke",

View File

@ -19,7 +19,7 @@ The following table shows the valid targets based on the CIS Benchmark version.
| cis-1.6| master, controlplane, node, etcd, policies | | cis-1.6| master, controlplane, node, etcd, policies |
|cis-1.20| master, controlplane, node, etcd, policies | |cis-1.20| master, controlplane, node, etcd, policies |
| gke-1.0| master, controlplane, node, etcd, policies, managedservices | | gke-1.0| master, controlplane, node, etcd, policies, managedservices |
| eks-1.0| controlplane, node, policies, managedservices | | eks-1.0.1| controlplane, node, policies, managedservices |
| ack-1.0| master, controlplane, node, etcd, policies, managedservices | | ack-1.0| master, controlplane, node, etcd, policies, managedservices |
| rh-0.7| master,node| | rh-0.7| master,node|
| rh-1.0| master, controlplane, node, etcd, policies | | rh-1.0| master, controlplane, node, etcd, policies |

View File

@ -11,7 +11,7 @@ Some defined by other hardenening guides.
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 | | CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.20 | | CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.20 |
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | | CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | | CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS |
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK | | CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS | | CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | | RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |

View File

@ -33,7 +33,7 @@ spec:
# Push the image to your ECR and then refer to it here # Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"] command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
@ -45,7 +45,7 @@ spec:
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
readOnly: true readOnly: true
- name: kube-bench-eks-config - name: kube-bench-eks-config
mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml" mountPath: "/opt/kube-bench/cfg/eks-1.0.1/config.yaml"
subPath: config.yaml subPath: config.yaml
readOnly: true readOnly: true
restartPolicy: Never restartPolicy: Never

View File

@ -13,7 +13,7 @@ spec:
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref> # image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: aquasec/kube-bench:latest image: aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead # To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0"] command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"]
volumeMounts: volumeMounts:
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet