From 7663dc87ee749af253babf7ab083eddebc97fe39 Mon Sep 17 00:00:00 2001 From: Abubakr-Sadik Nii Nai Davis Date: Thu, 5 Oct 2017 17:29:38 +0000 Subject: [PATCH] Copy 1.7 benchmark as 1.8. --- cfg/1.8/federated.yaml | 285 +++++++++++ cfg/1.8/master.yaml | 1028 ++++++++++++++++++++++++++++++++++++++++ cfg/1.8/node.yaml | 370 +++++++++++++++ 3 files changed, 1683 insertions(+) create mode 100644 cfg/1.8/federated.yaml create mode 100644 cfg/1.8/master.yaml create mode 100644 cfg/1.8/node.yaml diff --git a/cfg/1.8/federated.yaml b/cfg/1.8/federated.yaml new file mode 100644 index 0000000..0c27dc1 --- /dev/null +++ b/cfg/1.8/federated.yaml @@ -0,0 +1,285 @@ +--- +controls: +version: 1.7 +id: 3 +text: "Federated Deployments" +type: "federated" +groups: +- id: 3.1 + text: "Federation API Server" + checks: + - id: 3.1.1 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set --anonymous-auth=false.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.2 + text: "Ensure that the --basic-auth-file argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--basic-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the deployment specs and remove \"--basic-auth-file=\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.3 + text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-allow-any-token" + set: false + remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.4 + text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-bind-address" + set: false + remediation: "Edit the deployment specs and remove --insecure-bind-address.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.5 + text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the deployment specs and set --insecure-port=0.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.6 + text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--secure-port" + compare: + op: gt + value: 0 + set: true + - flag: "--secure-port" + set: false + remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.7 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set \"--profiling=false\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + score: true + + - id: 3.1.8 + text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: nothave + value: AlwaysAdmit + set: true + remediation: "Edit the deployment specs and set --admission-control argument to a value that does + not include AlwaysAdmit.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.9 + text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "admission-control" + compare: + op: has + value: "NamespaceLifecycle" + set: true + remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.10 + text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-path" + set: true + remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.11 + text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxage" + compare: + op: gte + value: 30 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.12 + text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxbackup" + compare: + op: gte + value: 10 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.13 + text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxsize" + compare: + op: gte + value: 100 + set: true + remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.14 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.15 + text: "Ensure that the --token-auth-file parameter is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--token-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the deployment specs and remove the --token-auth-file= argument.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.16 + text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-lookup" + compare: + op: eq + value: true + set: true + remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.17 + text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-key-file" + set: true + remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.18 + text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--etcd-certfile" + set: true + - flag: "--etcd-keyfile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the + federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd- + certfile=\" and \"--etcd- + keyfile=\" arguments.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + + - id: 3.1.19 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation + apiserver. Then, edit the deployment specs and set \"--tls-cert-file=\" and \"--tls-private-key-file=\" : + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true + +- id: 3.2 + text: "Federation Controller Manager" + checks: + - id: 3.2.1 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the deployment specs and set \"--profiling=false\".\n + kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system" + scored: true diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml new file mode 100644 index 0000000..a306eef --- /dev/null +++ b/cfg/1.8/master.yaml @@ -0,0 +1,1028 @@ +--- +controls: +version: 1.7 +id: 1 +text: "Master Node Security Configuration" +type: "master" +groups: +- id: 1.1 + text: "API Server" + checks: + - id: 1.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "allow-privileged" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set + the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\"" + scored: true + + - id: 1.1.2 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set + the KUBE_API_ARGS parameter to \"--anonymous-auth=false\"" + scored: true + + - id: 1.1.3 + text: "Ensure that the --basic-auth-file argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--basic-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for + authentication. Then, edit the $apiserverconf file on the master + node and remove the \"--basic-auth-file=\" argument from the + KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.4 + text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-allow-any-token" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.5 + text: "Ensure that the --kubelet-https argument is set to true (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--kubelet-https" + compare: + op: eq + value: true + set: true + - flag: "--kubelet-https" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --kubelet-https argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.6 + text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-bind-address" + set: false + remediation: "Edit the $apiserverconf file on the master node and remove + the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter." + scored: true + + - id: 1.1.7 + text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $apiserverconf file on the master node and set + --insecure-port=0 in the KUBE_API_PORT parameter." + scored: true + + - id: 1.1.8 + text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--secure-port" + compare: + op: gt + value: 0 + set: true + - flag: "--secure-port" + set: false + remediation: "Edit the $apiserverconf file on the master node and either + remove the --secure-port argument from the KUBE_API_ARGS parameter or set + it to a different desired port." + scored: true + + - id: 1.1.9 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--profiling=false\"" + scored: true + + - id: 1.1.10 + text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--repair-malformed-updates" + compare: + op: eq + value: false + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\"" + scored: true + + - id: 1.1.11 + text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: nothave + value: AlwaysAdmit + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit" + scored: true + + - id: 1.1.12 + text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "AlwaysPullImages" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\"" + scored: true + + - id: 1.1.13 + text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "DenyEscalatingExec" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\"" + scored: true + + - id: 1.1.14 + text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "SecurityContextDeny" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\"" + scored: true + + - id: 1.1.15 + text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "admission-control" + compare: + op: has + value: "NamespaceLifecycle" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\"" + scored: true + + - id: 1.1.16 + text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-path" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-path=\"" + scored: true + + - id: 1.1.17 + text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxage" + compare: + op: gte + value: 30 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxage=30\"" + scored: true + + - id: 1.1.18 + text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxbackup" + compare: + op: gte + value: 10 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\"" + scored: true + + - id: 1.1.19 + text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxsize" + compare: + op: gte + value: 100 + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\"" + scored: true + + - id: 1.1.20 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\"" + scored: true + + - id: 1.1.21 + text: "Ensure that the --token-auth-file parameter is not set (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--token-auth-file" + set: false + remediation: "Follow the documentation and configure alternate mechanisms for authentication. + Then, edit the $apiserverconf file on the master node and remove the + \"--tokenauth-file=\" argument from the KUBE_API_ARGS parameter." + scored: true + + - id: 1.1.22 + text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--kubelet-certificate-authority" + set: true + remediation: "Follow the Kubernetes documentation and setup the TLS connection between + the apiserver and kubelets. Then, edit the $apiserverconf file on the + master node and set the KUBE_API_ARGS parameter to + \"--kubelet-certificate-authority=\"" + scored: true + + - id: 1.1.23 + text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--kubelet-client-certificate" + set: true + - flag: "--kubelet-client-key" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and kubelets. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=\" + and \"--kubelet-clientkey=\"" + scored: true + + - id: 1.1.24 + text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-lookup" + compare: + op: eq + value: true + set: true + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter + to \"--service-account-lookup=true\"" + scored: true + + - id: 1.1.25 + text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "PodSecurityPolicy" + set: true + remediation: "Follow the documentation and create Pod Security Policy objects as per your environment. + Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL + parameter to \"--admission-control=...,PodSecurityPolicy,...\"" + scored: true + + - id: 1.1.26 + text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-key-file" + set: true + remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to \"--service-account-key-file=\"" + scored: true + + - id: 1.1.27 + text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--etcd-certfile" + set: true + - flag: "--etcd-keyfile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and etcd. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--etcd-certfile=\" + and \"--etcd-keyfile=\"" + scored: true + + - id: 1.1.28 + text: "Ensure that the admission control policy is set to ServiceAccount (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "ServiceAccount" + set: true + remediation: "Follow the documentation and create ServiceAccount objects as per your environment. + Then, edit the $apiserverconf file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\"" + scored: true + + - id: 1.1.29 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. + Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to + include \"--tls-cert-file=\" and + \"--tls-private-key-file=\"" + scored: true + + - id: 1.1.30 + text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--client-ca-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver. + Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--client-ca-file=\"" + scored: true + + - id: 1.1.31 + text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--etcd-cafile" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver + and etcd. Then, edit the $apiserverconf file on the master node and set the + KUBE_API_ARGS parameter to include \"--etcd-cafile=\"" + scored: true + + - id: 1.1.32 + text: "Ensure that the --authorization-mode argument is set to Node (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: has + value: "Node" + set: true + remediation: "Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS + parameter to a value to include --authorization-mode=Node. One such example could be + as below:\n + KUBE_API_ARGS=\"--authorization-mode=Node,RBAC\"" + scored: true + + - id: 1.1.33 + text: "Ensure that the admission control policy is set to NodeRestriction (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: has + value: "NodeRestriction" + set: true + remediation: "Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. + Then, edit the /etc/kubernetes/apiserver file on the master node and set the + KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,NodeRestriction,...\"" + scored: true + + - id: 1.1.34 + text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + tests: + test_items: + - flag: "--experimental-encryption-provider-config" + set: true + remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit + the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS + parameter to \"--experimental-encryption-provider-config=\"" + scored: true + + - id: 1.1.35 + text: "Ensure that the encryption provider is set to aescbc (Scored)" + audit: "ps -ef | grep $apiserverbin | grep -v grep" + type: "manual" + remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, + choose aescbc as the encryption provider" + scored: true + +- id: 1.2 + text: "Scheduler" + checks: + - id: 1.2.1 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $schedulerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS + parameter to \"--profiling=false\"" + scored: true + +- id: 1.3 + text: "Controller Manager" + checks: + - id: 1.3.1 + text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--terminated-pod-gc-threshold" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=\"" + scored: true + + - id: 1.3.2 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\"" + scored: true + + - id: 1.3.3 + text: "Ensure that the --use-service-account-credentials argument is set" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--use-service-account-credentials" + compare: + op: eq + value: true + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true" + scored: true + + - id: 1.3.4 + text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-private-key-file" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=" + scored: true + + - id: 1.3.5 + text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--root-ca-file" + set: true + remediation: "Edit the $controllermanagerconf file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=" + scored: true + + - id: 1.3.6 + text: "Apply Security Context to Your Pods and Containers (Not Scored)" + type: "manual" + remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include + \"--feature-gates=RotateKubeletServerCertificate=true\"" + scored: false + + - id: 1.3.7 + text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" + audit: "ps -ef | grep $controllermanagerbin | grep -v grep" + tests: + test_items: + - flag: "RotateKubeletServerCertificate" + compare: + op: eq + value: true + set: true + remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include + \"--feature-gates=RotateKubeletServerCertificate=true\"" + scored: true + +- id: 1.4 + text: "Configure Files" + checks: + - id: 1.4.1 + text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" + # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $apiserverconf" + scored: true + + - id: 1.4.2 + text: "Ensure that the apiserver file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $apiserverconf" + scored: true + + - id: 1.4.3 + text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $kubernetesconf" + scored: true + + - id: 1.4.4 + text: "Ensure that the config file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $kubernetesconf" + scored: true + + - id: 1.4.5 + text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $schedulerconf" + scored: true + + - id: 1.4.6 + text: "Ensure that the scheduler file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $schedulerconf" + scored: true + + - id: 1.4.7 + text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $etcdconf" + scored: true + + - id: 1.4.8 + text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $etcdconf" + scored: true + + - id: 1.4.9 + text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chmod 644 $flanneldconf" + scored: true + + - id: 1.4.10 + text: "Ensure that the flanneld file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the master node. + \nFor example, chown root:root $flanneldconf" + scored: true + + - id: 1.4.11 + text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command:\n + ps -ef | grep $etcdbin\n + Run the below command (based on the etcd data directory found above). For example,\n + chmod 700 /var/lib/etcd/default.etcd" + scored: true + + - id: 1.4.12 + text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + tests: + test_items: + - flag: "etcd:etcd" + set: true + remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command:\n + ps -ef | grep etcd\n + Run the below command (based on the etcd data directory found above). For example,\n + chown etcd:etcd /var/lib/etcd/default.etcd" + scored: true + +- id: 1.5 + text: "etcd" + checks: + - id: 1.5.1 + text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--cert-file" + set: true + - flag: "--key-file" + set: true + remediation: "Follow the etcd service documentation and configure TLS encryption." + scored: true + + - id: 1.5.2 + text: "Ensure that the --client-cert-auth argument is set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--client-cert-auth" + compare: + op: eq + value: true + set: true + remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the + etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\". + Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) + and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\"" + scored: true + + - id: 1.5.3 + text: "Ensure that the --auto-tls argument is not set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--auto-tls" + set: false + - flag: "--auto-tls" + compare: + op: neq + value: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server + node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter + for --auto-tls." + scored: true + + - id: 1.5.4 + text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--peer-cert-file" + set: true + - flag: "--peer-key-file" + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only + one etcd server in your environment then this recommendation is not applicable. + Follow the etcd service documentation and configure peer TLS encryption as appropriate for + your etcd cluster." + scored: true + + - id: 1.5.5 + text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--peer-client-cert-auth" + compare: + op: eq + value: true + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only + one etcd server in your environment then this recommendation is not applicable. + Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file + (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the + startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\"" + scored: true + + - id: 1.5.6 + text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--peer-auto-tls" + set: false + - flag: "--peer-auto-tls" + compare: + op: eq + value: false + set: true + remediation: "Note: This recommendation is applicable only for etcd clusters. + If you are using only one etcd server in your environment then this recommendation is + not applicable. Edit the etcd environment file (for example, $etcdconf) + on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter. + Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) + and remove the startup parameter for --peer-auto-tls." + scored: true + + - id: 1.5.7 + text: "Ensure that the --wal-dir argument is set as appropriate (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--wal-dir" + set: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for + --wal-dir and set it to \"${ETCD_WAL_DIR}\"" + scored: true + + - id: 1.5.8 + text: "Ensure that the --max-wals argument is set to 0 (Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--max-wals" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node + and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example, + /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter + for --max-wals and set it to \"${ETCD_MAX_WALS}\"." + scored: true + + - id: 1.5.9 + text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" + audit: "ps -ef | grep $etcdbin | grep -v grep" + tests: + test_items: + - flag: "--trusted-ca-file" + set: true + remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the + etcd service." + scored: false + +- id: 1.6 + text: "General Security Primitives" + checks: + - id: 1.6.1 + text: "Ensure that the cluster-admin role is only used where required (Not Scored)" + type: "manual" + remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" + scored: false + + - id: 1.6.2 + text: "Create Pod Security Policies for your cluster (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. + Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the + suggested Pod Security Policies for your environment." + scored: false + + - id: 1.6.3 + text: "Create administrative boundaries between resources using namespaces (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create namespaces for objects in your deployment as you + need them." + scored: false + + - id: 1.6.4 + text: "Create network segmentation using Network Policies (Not Scored)" + type: "manual" + remediation: "Follow the documentation and create NetworkPolicy objects as you need them." + scored: false + + - id: 1.6.5 + text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" + type: "manual" + remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you + would need to enable alpha features in the apiserver by passing \"--feature- + gates=AllAlpha=true\" argument.\n + Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to \"--feature-gates=AllAlpha=true\" + KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" + scored: false + + - id: 1.6.6 + text: "Apply Security Context to Your Pods and Containers (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a + suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker + Containers." + scored: false + + - id: 1.6.7 + text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and setup image provenance." + scored: false + + - id: 1.6.8 + text: "Configure Network policies as appropriate (Not Scored)" + type: "manual" + remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." + scored: false + diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml new file mode 100644 index 0000000..de0f8b5 --- /dev/null +++ b/cfg/1.8/node.yaml @@ -0,0 +1,370 @@ +--- +controls: +version: 1.7 +id: 2 +text: "Worker Node Security Configuration" +type: "node" +groups: +- id: 2.1 + text: "Kubelet" + checks: + - id: 2.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--allow-privileged" + compare: + op: eq + value: false + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV + parameter to \"--allow-privileged=false\"" + scored: true + + - id: 2.1.2 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: "Edit the $kubeletconf file on the master node and set the + KUBELET_ARGS parameter to \"--anonymous-auth=false\"" + scored: true + + - id: 2.1.3 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: "Edit the $kubeletconf file on each node and set the + KUBELET_ARGS parameter to \"--authorization-mode=Webhook\"" + scored: true + + - id: 2.1.4 + text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--client-ca-file" + set: true + remediation: "Follow the Kubernetes documentation and setup the TLS connection between + the apiserver and kubelets. Then, edit the $kubeletconf file on each node + and set the KUBELET_ARGS parameter to \"--client-ca-file=\"" + scored: true + + - id: 2.1.5 + text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--read-only-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--read-only-port=0\"" + scored: true + + - id: 2.1.6 + text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--streaming-connection-idle-timeout" + compare: + op: noteq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--streaming-connection-idle-timeout=\"" + scored: true + + - id: 2.1.7 + text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--protect-kernel-defaults" + compare: + op: eq + value: true + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--protect-kernel-defaults=true\"" + scored: true + + - id: 2.1.8 + text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--make-iptables-util-chains" + compare: + op: eq + value: true + set: true + - flag: "--make-iptables-util-chains" + set: false + remediation: "Edit the $kubeletconf file on each node and remove the + --make-iptables-util-chains argument from the KUBELET_ARGS parameter." + scored: true + + - id: 2.1.9 + text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--keep-terminated-pod-volumes" + compare: + op: eq + value: false + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--keep-terminated-pod-volumes=false\"" + scored: true + + - id: 2.1.10 + text: "Ensure that the --hostname-override argument is not set (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--hostname-override" + set: false + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME + parameter to \"\"" + scored: true + + - id: 2.1.11 + text: "Ensure that the --event-qps argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--event-qps" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS + parameter to \"--event-qps=0\"" + scored: true + + - id: 2.1.12 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. + Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS + parameter to include \"--tls-cert-file=\" and + \"--tls-private-key-file=\"" + scored: true + + - id: 2.1.13 + text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--cadvisor-port" + compare: + op: eq + value: 0 + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter + to \"--cadvisor-port=0\"" + scored: true + + - id: 2.1.14 + text: "Ensure that the RotateKubeletClientCertificate argument is set to true" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "RotateKubeletClientCertificate" + compare: + op: eq + value: true + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter + to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"." + scored: true + + - id: 2.1.15 + text: "Ensure that the RotateKubeletServerCertificate argument is set to true" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "RotateKubeletServerCertificate" + compare: + op: eq + value: true + set: true + remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter + to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"." + scored: true + +- id: 2.2 + text: "Configuration Files" + checks: + - id: 2.2.1 + text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $kubernetesconf" + scored: true + + - id: 2.2.2 + text: "Ensure that the config file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $kubernetesconf" + scored: true + + - id: 2.2.3 + text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: 644 + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $kubeletconf" + scored: true + + - id: 2.2.4 + text: "Ensure that the kubelet file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" + tests: + test_items: + - flag: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $kubeletconf" + scored: true + + - id: 2.2.5 + text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chmod 644 $proxyconf" + scored: true + + - id: 2.2.6 + text: "Ensure that the proxy file ownership is set to root:root (Scored)" + audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" + tests: + test_items: + - flag: "root:root" + set: true + remediation: "Run the below command (based on the file location on your system) on the each worker node. + \nFor example, chown root:root $proxyconf" + scored: true + + - id: 2.2.7 + text: "Ensure that the certificate authorities file permissions are set to + 644 or more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: "Run the following command to modify the file permissions of the --client-ca-file + \nchmod 644 " + scored: true + + - id: 2.2.8 + text: "Ensure that the client certificate authorities file ownership is set to root:root" + audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" + tests: + test_items: + - flag: "notexist:notexist" + set: true + remediation: "Run the following command to modify the ownership of the --client-ca-file. + \nchown root:root " + scored: true