diff --git a/cfg/ack-1.0/master.yaml b/cfg/ack-1.0/master.yaml index e3c4d6c..652652a 100644 --- a/cfg/ack-1.0/master.yaml +++ b/cfg/ack-1.0/master.yaml @@ -896,25 +896,7 @@ groups: --root-ca-file= scored: true - - id: 1.3.6 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" - audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--feature-gates" - compare: - op: nothave - value: "RotateKubeletServerCertificate=false" - set: true - - flag: "--feature-gates" - set: false - remediation: | - Edit the Controller Manager pod specification file $controllermanagerconf - on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. - --feature-gates=RotateKubeletServerCertificate=true - scored: true - + - - id: 1.3.7 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" diff --git a/cfg/ack-1.0/policies.yaml b/cfg/ack-1.0/policies.yaml index d30bbae..9f4abbe 100644 --- a/cfg/ack-1.0/policies.yaml +++ b/cfg/ack-1.0/policies.yaml @@ -150,7 +150,7 @@ groups: - id: 5.3.2 text: "Ensure that all Namespaces have Network Policies defined (Manual)" - type: "manual" + type: manual remediation: | Follow the documentation and create NetworkPolicy objects as you need them. scored: false diff --git a/cfg/aks-1.0/policies.yaml b/cfg/aks-1.0/policies.yaml index 9cfde1e..d13cd56 100644 --- a/cfg/aks-1.0/policies.yaml +++ b/cfg/aks-1.0/policies.yaml @@ -121,7 +121,7 @@ groups: - id: 4.2.8 text: "Minimize the admission of containers with added capabilities (Automated)" - type: "manual" + type: manual remediation: | Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 8823598..1523b22 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -433,32 +433,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: true - - - id: 4.2.12 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "/bin/ps -fC $kubeletbin" - audit_config: "/bin/cat $kubeletconf" - tests: - bin_op: or - test_items: - - flag: RotateKubeletServerCertificate - path: '{.featureGates.RotateKubeletServerCertificate}' - set: true - compare: - op: nothave - value: false - - flag: RotateKubeletServerCertificate - path: '{.featureGates.RotateKubeletServerCertificate}' - set: false - remediation: | - Edit the kubelet service file $kubeletsvc - on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. - --feature-gates=RotateKubeletServerCertificate=true - Based on your system, restart the kubelet service. For example: - systemctl daemon-reload - systemctl restart kubelet.service - scored: true - - id: 4.2.13 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" audit: "/bin/ps -fC $kubeletbin" diff --git a/cfg/cis-1.9/node.yaml b/cfg/cis-1.9/node.yaml index bd7cc1f..2ad0277 100644 --- a/cfg/cis-1.9/node.yaml +++ b/cfg/cis-1.9/node.yaml @@ -428,6 +428,7 @@ groups: compare: op: valid_elements value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 + type: manual remediation: | If using a Kubelet config file, edit the file to set `TLSCipherSuites` to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml index c08d6e5..114615a 100644 --- a/cfg/rke-cis-1.24/master.yaml +++ b/cfg/rke-cis-1.24/master.yaml @@ -139,14 +139,16 @@ groups: scored: false - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + use_multiple_values: true tests: test_items: - flag: "root:root" + type: manual remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, @@ -163,6 +165,7 @@ groups: op: eq value: "700" set: true + type: manual remediation: | On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. @@ -287,7 +290,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" audit: | if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi tests: @@ -298,6 +301,7 @@ groups: compare: op: bitmask value: "600" + type: manual remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, @@ -951,12 +955,13 @@ groups: set: true - flag: "--feature-gates" set: false + type: skip remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true Cluster provisioned by RKE handles certificate rotation directly through RKE. - scored: true + - id: 1.3.7 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" diff --git a/cfg/rke-cis-1.24/node.yaml b/cfg/rke-cis-1.24/node.yaml index ca5dcc1..3d70aeb 100644 --- a/cfg/rke-cis-1.24/node.yaml +++ b/cfg/rke-cis-1.24/node.yaml @@ -410,7 +410,7 @@ groups: - id: 4.2.12 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" - type: "manual" + type: skip audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " tests: @@ -432,7 +432,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service Clusters provisioned by RKE handles certificate rotation directly through RKE. - scored: false - id: 4.2.13 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)"