|
|
|
@ -169,6 +169,40 @@ groups:
|
|
|
|
|
chown root:root <path/to/cni/files>
|
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
|
|
- id: 1.1.11
|
|
|
|
|
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
|
|
|
|
|
audit: stat -c %a /node/var/lib/etcd
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "700"
|
|
|
|
|
compare:
|
|
|
|
|
op: eq
|
|
|
|
|
value: "700"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: |
|
|
|
|
|
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
|
|
|
|
|
from the command 'ps -ef | grep etcd'.
|
|
|
|
|
Run the below command (based on the etcd data directory found above). For example,
|
|
|
|
|
chmod 700 /var/lib/etcd
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.12
|
|
|
|
|
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
|
|
|
|
|
type: "skip"
|
|
|
|
|
audit: "stat -c %U:%G /node/var/lib/etcd"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "etcd:etcd"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: |
|
|
|
|
|
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
|
|
|
|
|
from the command 'ps -ef | grep etcd'.
|
|
|
|
|
Run the below command (based on the etcd data directory found above).
|
|
|
|
|
For example, chown etcd:etcd /var/lib/etcd
|
|
|
|
|
Permissive - A system service account is required for etcd data directory ownership.
|
|
|
|
|
Refer to Rancher's hardening guide for more details on how to configure this ownership.
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.13
|
|
|
|
|
text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"
|
|
|
|
|
type: "skip"
|
|
|
|
@ -264,6 +298,53 @@ groups:
|
|
|
|
|
All configuration is passed in as arguments at container run time.
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.19
|
|
|
|
|
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
|
|
|
|
|
audit: "check_files_owner_in_dir.sh /node/etc/kubernetes/ssl"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "true"
|
|
|
|
|
compare:
|
|
|
|
|
op: eq
|
|
|
|
|
value: "true"
|
|
|
|
|
set: true
|
|
|
|
|
remediation: |
|
|
|
|
|
Run the below command (based on the file location on your system) on the control plane node.
|
|
|
|
|
For example,
|
|
|
|
|
chown -R root:root /etc/kubernetes/pki/
|
|
|
|
|
scored: true
|
|
|
|
|
|
|
|
|
|
- id: 1.1.20
|
|
|
|
|
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"
|
|
|
|
|
audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a"
|
|
|
|
|
use_multiple_values: true
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "permissions"
|
|
|
|
|
compare:
|
|
|
|
|
op: bitmask
|
|
|
|
|
value: "600"
|
|
|
|
|
remediation: |
|
|
|
|
|
Run the below command (based on the file location on your system) on the control plane node.
|
|
|
|
|
For example,
|
|
|
|
|
find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} +
|
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
|
|
- id: 1.1.21
|
|
|
|
|
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
|
|
|
|
|
audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a"
|
|
|
|
|
use_multiple_values: true
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "permissions"
|
|
|
|
|
compare:
|
|
|
|
|
op: bitmask
|
|
|
|
|
value: "600"
|
|
|
|
|
remediation: |
|
|
|
|
|
Run the below command (based on the file location on your system) on the control plane node.
|
|
|
|
|
For example,
|
|
|
|
|
find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} +
|
|
|
|
|
scored: false
|
|
|
|
|
|
|
|
|
|
- id: 1.2
|
|
|
|
|
text: "API Server"
|
|
|
|
|