mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-25 01:18:12 +00:00
Support CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1 (#1045)
* Update eks-1.0 to support CIS EKS Benchmark v1.0.1 * add "No remediation" * rename eks-1.0 to eks-1.0.1 Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
parent
f8e0171c09
commit
6589eb16e1
@ -244,7 +244,7 @@ version_mapping:
|
||||
"1.18": "cis-1.6"
|
||||
"1.19": "cis-1.20"
|
||||
"1.20": "cis-1.20"
|
||||
"eks-1.0": "eks-1.0"
|
||||
"eks-1.0.1": "eks-1.0.1"
|
||||
"gke-1.0": "gke-1.0"
|
||||
"ocp-3.10": "rh-0.7"
|
||||
"ocp-3.11": "rh-0.7"
|
||||
@ -278,7 +278,7 @@ target_mapping:
|
||||
- "etcd"
|
||||
- "policies"
|
||||
- "managedservices"
|
||||
"eks-1.0":
|
||||
"eks-1.0.1":
|
||||
- "master"
|
||||
- "node"
|
||||
- "controlplane"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-1.0"
|
||||
version: "eks-1.0.1"
|
||||
id: 2
|
||||
text: "Control Plane Configuration"
|
||||
type: "controlplane"
|
||||
@ -9,6 +9,6 @@ groups:
|
||||
text: "Logging"
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Enable audit logs"
|
||||
text: "Enable audit logs (Manual)"
|
||||
remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
|
||||
scored: false
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-1.0"
|
||||
version: "eks-1.0.1"
|
||||
id: 5
|
||||
text: "Managed Services"
|
||||
type: "managedservices"
|
||||
@ -9,78 +9,78 @@ groups:
|
||||
text: "Image Registry and Image Scanning"
|
||||
checks:
|
||||
- id: 5.1.1
|
||||
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)"
|
||||
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.1.2
|
||||
text: "Minimize user access to Amazon ECR (Not Scored)"
|
||||
text: "Minimize user access to Amazon ECR (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.1.3
|
||||
text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)"
|
||||
text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.1.4
|
||||
text: "Minimize Container Registries to only those approved (Not Scored)"
|
||||
text: "Minimize Container Registries to only those approved (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.2
|
||||
text: "Identity and Access Management (IAM)"
|
||||
checks:
|
||||
- id: 5.2.1
|
||||
text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)"
|
||||
text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.3
|
||||
text: "AWS Key Management Service (AWS KMS)"
|
||||
text: "AWS Key Management Service (KMS)"
|
||||
checks:
|
||||
- id: 5.3.1
|
||||
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)"
|
||||
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4
|
||||
text: "Cluster Networking"
|
||||
checks:
|
||||
- id: 5.4.1
|
||||
text: "Restrict Access to the Control Plane Endpoint (Not Scored)"
|
||||
text: "Restrict Access to the Control Plane Endpoint (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.2
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)"
|
||||
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.3
|
||||
text: "Ensure clusters are created with Private Nodes (Not Scored)"
|
||||
text: "Ensure clusters are created with Private Nodes (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.4
|
||||
text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)"
|
||||
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
- id: 5.4.5
|
||||
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)"
|
||||
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
|
||||
@ -88,9 +88,9 @@ groups:
|
||||
text: "Authentication and Authorization"
|
||||
checks:
|
||||
- id: 5.5.1
|
||||
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)"
|
||||
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
||||
|
||||
|
||||
@ -98,7 +98,7 @@ groups:
|
||||
text: "Other Cluster Configurations"
|
||||
checks:
|
||||
- id: 5.6.1
|
||||
text: "Consider Fargate for running untrusted workloads (Not Scored)"
|
||||
text: "Consider Fargate for running untrusted workloads (Manual)"
|
||||
type: "manual"
|
||||
remediation:
|
||||
remediation: "No remediation"
|
||||
scored: false
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-1.0"
|
||||
version: "eks-1.0.1"
|
||||
id: 1
|
||||
text: "Control Plane Components"
|
||||
type: "master"
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-1.0"
|
||||
version: "eks-1.0.1"
|
||||
id: 3
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
@ -9,127 +9,62 @@ groups:
|
||||
text: "Worker Node Configuration Files"
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'' '
|
||||
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: eq
|
||||
op: bitmask
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
- flag: "444"
|
||||
compare:
|
||||
op: eq
|
||||
value: "444"
|
||||
set: true
|
||||
- flag: "440"
|
||||
compare:
|
||||
op: eq
|
||||
value: "440"
|
||||
set: true
|
||||
- flag: "400"
|
||||
compare:
|
||||
op: eq
|
||||
value: "400"
|
||||
set: true
|
||||
- flag: "000"
|
||||
compare:
|
||||
op: eq
|
||||
value: "000"
|
||||
set: true
|
||||
bin_op: or
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on each worker node.
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 $proxykubeconfig
|
||||
scored: true
|
||||
chmod 644 $kubeletkubeconfig
|
||||
scored: false
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
||||
text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
scored: true
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chown root:root $kubeletkubeconfig
|
||||
scored: false
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'' '
|
||||
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "644"
|
||||
set: true
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: eq
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "640"
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
- flag: "600"
|
||||
set: true
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
- flag: "444"
|
||||
compare:
|
||||
op: eq
|
||||
value: "444"
|
||||
set: true
|
||||
- flag: "440"
|
||||
compare:
|
||||
op: eq
|
||||
value: "440"
|
||||
set: true
|
||||
- flag: "400"
|
||||
compare:
|
||||
op: eq
|
||||
value: "400"
|
||||
set: true
|
||||
- flag: "000"
|
||||
compare:
|
||||
op: eq
|
||||
value: "000"
|
||||
set: true
|
||||
bin_op: or
|
||||
remediation: |
|
||||
Run the following command (using the config file location identied in the Audit step)
|
||||
Run the following command (using the config file location identified in the Audit step)
|
||||
chmod 644 $kubeletconf
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Scored)"
|
||||
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
|
||||
tests:
|
||||
test_items:
|
||||
- flag: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the following command (using the config file location identied in the Audit step)
|
||||
Run the following command (using the config file location identified in the Audit step)
|
||||
chown root:root $kubeletconf
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -153,7 +88,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.2
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -176,7 +111,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.3
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -194,10 +129,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2.4
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -217,10 +152,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2.5
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -245,10 +180,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2.6
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -271,7 +206,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.7
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored) "
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -298,7 +233,7 @@ groups:
|
||||
scored: true
|
||||
|
||||
- id: 3.2.8
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
text: "Ensure that the --hostname-override argument is not set (Manual)"
|
||||
# This is one of those properties that can only be set as a command line argument.
|
||||
# To check if the property is set as expected, we need to parse the kubelet command
|
||||
# instead reading the Kubelet Configuration file.
|
||||
@ -314,10 +249,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2.9
|
||||
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)"
|
||||
text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -339,7 +274,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 3.2.10
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
||||
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -364,10 +299,10 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
||||
|
||||
- id: 3.2.11
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
|
||||
audit: "/bin/ps -fC $kubeletbin"
|
||||
audit_config: "/bin/cat $kubeletconf"
|
||||
tests:
|
||||
@ -385,4 +320,4 @@ groups:
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
scored: false
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
controls:
|
||||
version: "eks-1.0"
|
||||
version: "eks-1.0.1"
|
||||
id: 4
|
||||
text: "Policies"
|
||||
type: "policies"
|
||||
@ -9,7 +9,7 @@ groups:
|
||||
text: "RBAC and Service Accounts"
|
||||
checks:
|
||||
- id: 4.1.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
text: "Ensure that the cluster-admin role is only used where required (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
|
||||
@ -20,14 +20,14 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.1.2
|
||||
text: "Minimize access to secrets (Not Scored)"
|
||||
text: "Minimize access to secrets (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Where possible, remove get, list and watch access to secret objects in the cluster.
|
||||
scored: false
|
||||
|
||||
- id: 4.1.3
|
||||
text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
|
||||
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Where possible replace any use of wildcards in clusterroles and roles with specific
|
||||
@ -35,14 +35,14 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.1.4
|
||||
text: "Minimize access to create pods (Not Scored)"
|
||||
text: "Minimize access to create pods (Manual)"
|
||||
type: "manual"
|
||||
Remediation: |
|
||||
Where possible, remove create access to pod objects in the cluster.
|
||||
scored: false
|
||||
|
||||
- id: 4.1.5
|
||||
text: "Ensure that default service accounts are not actively used. (Not Scored)"
|
||||
text: "Ensure that default service accounts are not actively used. (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create explicit service accounts wherever a Kubernetes workload requires specific access
|
||||
@ -52,7 +52,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.1.6
|
||||
text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
|
||||
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Modify the definition of pods and service accounts which do not need to mount service
|
||||
@ -63,7 +63,7 @@ groups:
|
||||
text: "Pod Security Policies"
|
||||
checks:
|
||||
- id: 4.2.1
|
||||
text: "Minimize the admission of privileged containers (Not Scored)"
|
||||
text: "Minimize the admission of privileged containers (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that
|
||||
@ -71,7 +71,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.2
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)"
|
||||
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -79,7 +79,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.3
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)"
|
||||
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -87,7 +87,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.4
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)"
|
||||
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -95,7 +95,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.5
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)"
|
||||
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -103,7 +103,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.6
|
||||
text: "Minimize the admission of root containers (Not Scored)"
|
||||
text: "Minimize the admission of root containers (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -112,7 +112,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.7
|
||||
text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)"
|
||||
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the
|
||||
@ -120,7 +120,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.8
|
||||
text: "Minimize the admission of containers with added capabilities (Not Scored)"
|
||||
text: "Minimize the admission of containers with added capabilities (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
@ -128,7 +128,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.2.9
|
||||
text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
|
||||
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilities in applications running on your cluster. Where a namespace
|
||||
@ -140,14 +140,14 @@ groups:
|
||||
text: "CNI Plugin"
|
||||
checks:
|
||||
- id: 4.3.1
|
||||
text: "Ensure that the latest CNI version is used (Not Scored)"
|
||||
text: "Ensure that the latest CNI version is used (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
|
||||
scored: false
|
||||
|
||||
- id: 4.3.2
|
||||
text: "Ensure that all Namespaces have Network Policies defined (Not Scored)"
|
||||
text: "Ensure that all Namespaces have Network Policies defined (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
@ -157,7 +157,7 @@ groups:
|
||||
text: "Secrets Management"
|
||||
checks:
|
||||
- id: 4.4.1
|
||||
text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
|
||||
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
If possible, rewrite application code to read secrets from mounted secret files, rather than
|
||||
@ -165,7 +165,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.4.2
|
||||
text: "Consider external secret storage (Not Scored)"
|
||||
text: "Consider external secret storage (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Refer to the secrets management options offered by your cloud provider or a third-party
|
||||
@ -176,7 +176,7 @@ groups:
|
||||
text: "Extensible Admission Control"
|
||||
checks:
|
||||
- id: 4.5.1
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
@ -186,7 +186,7 @@ groups:
|
||||
text: "General Policies"
|
||||
checks:
|
||||
- id: 4.6.1
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
text: "Create administrative boundaries between resources using namespaces (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Follow the documentation and create namespaces for objects in your deployment as you need
|
||||
@ -194,33 +194,7 @@ groups:
|
||||
scored: false
|
||||
|
||||
- id: 4.6.2
|
||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
|
||||
parameter to "--feature-gates=AllAlpha=true"
|
||||
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||
Based on your system, restart the kube-apiserver service. For example:
|
||||
systemctl restart kube-apiserver.service
|
||||
Use annotations to enable the docker/default seccomp profile in your pod definitions. An
|
||||
example is as below:
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: trustworthy-pod
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/pod: docker/default
|
||||
spec:
|
||||
containers:
|
||||
- name: trustworthy-container
|
||||
image: sotrustworthy:latest
|
||||
scored: false
|
||||
|
||||
- id: 4.6.3
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
text: "Apply Security Context to Your Pods and Containers (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
@ -228,8 +202,8 @@ groups:
|
||||
Containers.
|
||||
scored: false
|
||||
|
||||
- id: 4.6.4
|
||||
text: "The default namespace should not be used (Not Scored)"
|
||||
- id: 4.6.3
|
||||
text: "The default namespace should not be used (Automated)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
|
@ -438,8 +438,8 @@ func TestValidTargets(t *testing.T) {
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
name: "eks-1.0 valid",
|
||||
benchmark: "eks-1.0",
|
||||
name: "eks-1.0.1 valid",
|
||||
benchmark: "eks-1.0.1",
|
||||
targets: []string{"node", "policies", "controlplane", "managedservices"},
|
||||
expected: true,
|
||||
},
|
||||
|
@ -455,7 +455,7 @@ func getPlatformBenchmarkVersion(platform string) string {
|
||||
glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
|
||||
switch platform {
|
||||
case "eks":
|
||||
return "eks-1.0"
|
||||
return "eks-1.0.1"
|
||||
case "gke":
|
||||
return "gke-1.0"
|
||||
case "aliyun":
|
||||
|
@ -578,7 +578,7 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
|
||||
args: args{
|
||||
platform: "eks",
|
||||
},
|
||||
want: "eks-1.0",
|
||||
want: "eks-1.0.1",
|
||||
},
|
||||
{
|
||||
name: "gke",
|
||||
|
@ -19,7 +19,7 @@ The following table shows the valid targets based on the CIS Benchmark version.
|
||||
| cis-1.6| master, controlplane, node, etcd, policies |
|
||||
|cis-1.20| master, controlplane, node, etcd, policies |
|
||||
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
| eks-1.0| controlplane, node, policies, managedservices |
|
||||
| eks-1.0.1| controlplane, node, policies, managedservices |
|
||||
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
|
||||
| rh-0.7| master,node|
|
||||
| rh-1.0| master, controlplane, node, etcd, policies |
|
||||
|
@ -11,7 +11,7 @@ Some defined by other hardenening guides.
|
||||
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
|
||||
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.20 |
|
||||
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
|
||||
| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
|
||||
| CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS |
|
||||
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
|
||||
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
|
||||
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
|
||||
|
@ -33,7 +33,7 @@ spec:
|
||||
# Push the image to your ECR and then refer to it here
|
||||
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
||||
image: aquasec/kube-bench:latest
|
||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0", "--asff"]
|
||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"]
|
||||
volumeMounts:
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
@ -45,7 +45,7 @@ spec:
|
||||
mountPath: /etc/kubernetes
|
||||
readOnly: true
|
||||
- name: kube-bench-eks-config
|
||||
mountPath: "/opt/kube-bench/cfg/eks-1.0/config.yaml"
|
||||
mountPath: "/opt/kube-bench/cfg/eks-1.0.1/config.yaml"
|
||||
subPath: config.yaml
|
||||
readOnly: true
|
||||
restartPolicy: Never
|
||||
|
@ -13,7 +13,7 @@ spec:
|
||||
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
|
||||
image: aquasec/kube-bench:latest
|
||||
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
|
||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0"]
|
||||
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"]
|
||||
volumeMounts:
|
||||
- name: var-lib-kubelet
|
||||
mountPath: /var/lib/kubelet
|
||||
|
Loading…
Reference in New Issue
Block a user