From 7e59a9d555bb63555515be8ef67a47afa4534ee5 Mon Sep 17 00:00:00 2001 From: Saurabh Misra Date: Mon, 16 Sep 2024 16:06:42 +0530 Subject: [PATCH] FIXING RKE CIS CHECKS In this change we are making 2 changes: 1. adding the check Type as manual for some manual checks for which the type was missing or incorrect 2. Some checks are being skipped as they are not applicable for an RKE2 cluster --- cfg/ack-1.0/master.yaml | 20 +------------------- cfg/ack-1.0/policies.yaml | 2 +- cfg/aks-1.0/policies.yaml | 2 +- cfg/cis-1.5/node.yaml | 26 -------------------------- cfg/cis-1.9/node.yaml | 1 + cfg/rke-cis-1.24/master.yaml | 11 ++++++++--- cfg/rke-cis-1.24/node.yaml | 3 +-- 7 files changed, 13 insertions(+), 52 deletions(-) diff --git a/cfg/ack-1.0/master.yaml b/cfg/ack-1.0/master.yaml index e3c4d6c..652652a 100644 --- a/cfg/ack-1.0/master.yaml +++ b/cfg/ack-1.0/master.yaml @@ -896,25 +896,7 @@ groups: --root-ca-file= scored: true - - id: 1.3.6 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" - audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--feature-gates" - compare: - op: nothave - value: "RotateKubeletServerCertificate=false" - set: true - - flag: "--feature-gates" - set: false - remediation: | - Edit the Controller Manager pod specification file $controllermanagerconf - on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. - --feature-gates=RotateKubeletServerCertificate=true - scored: true - + - - id: 1.3.7 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" diff --git a/cfg/ack-1.0/policies.yaml b/cfg/ack-1.0/policies.yaml index d30bbae..9f4abbe 100644 --- a/cfg/ack-1.0/policies.yaml +++ b/cfg/ack-1.0/policies.yaml @@ -150,7 +150,7 @@ groups: - id: 5.3.2 text: "Ensure that all Namespaces have Network Policies defined (Manual)" - type: "manual" + type: manual remediation: | Follow the documentation and create NetworkPolicy objects as you need them. scored: false diff --git a/cfg/aks-1.0/policies.yaml b/cfg/aks-1.0/policies.yaml index 9cfde1e..d13cd56 100644 --- a/cfg/aks-1.0/policies.yaml +++ b/cfg/aks-1.0/policies.yaml @@ -121,7 +121,7 @@ groups: - id: 4.2.8 text: "Minimize the admission of containers with added capabilities (Automated)" - type: "manual" + type: manual remediation: | Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. diff --git a/cfg/cis-1.5/node.yaml b/cfg/cis-1.5/node.yaml index 8823598..1523b22 100644 --- a/cfg/cis-1.5/node.yaml +++ b/cfg/cis-1.5/node.yaml @@ -433,32 +433,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service scored: true - - - id: 4.2.12 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "/bin/ps -fC $kubeletbin" - audit_config: "/bin/cat $kubeletconf" - tests: - bin_op: or - test_items: - - flag: RotateKubeletServerCertificate - path: '{.featureGates.RotateKubeletServerCertificate}' - set: true - compare: - op: nothave - value: false - - flag: RotateKubeletServerCertificate - path: '{.featureGates.RotateKubeletServerCertificate}' - set: false - remediation: | - Edit the kubelet service file $kubeletsvc - on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. - --feature-gates=RotateKubeletServerCertificate=true - Based on your system, restart the kubelet service. For example: - systemctl daemon-reload - systemctl restart kubelet.service - scored: true - - id: 4.2.13 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" audit: "/bin/ps -fC $kubeletbin" diff --git a/cfg/cis-1.9/node.yaml b/cfg/cis-1.9/node.yaml index bd7cc1f..2ad0277 100644 --- a/cfg/cis-1.9/node.yaml +++ b/cfg/cis-1.9/node.yaml @@ -428,6 +428,7 @@ groups: compare: op: valid_elements value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 + type: manual remediation: | If using a Kubelet config file, edit the file to set `TLSCipherSuites` to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 diff --git a/cfg/rke-cis-1.24/master.yaml b/cfg/rke-cis-1.24/master.yaml index c08d6e5..114615a 100644 --- a/cfg/rke-cis-1.24/master.yaml +++ b/cfg/rke-cis-1.24/master.yaml @@ -139,14 +139,16 @@ groups: scored: false - id: 1.1.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" + text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" audit: | ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G + use_multiple_values: true tests: test_items: - flag: "root:root" + type: manual remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, @@ -163,6 +165,7 @@ groups: op: eq value: "700" set: true + type: manual remediation: | On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the command 'ps -ef | grep etcd'. @@ -287,7 +290,7 @@ groups: scored: true - id: 1.1.20 - text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)" + text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)" audit: | if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi tests: @@ -298,6 +301,7 @@ groups: compare: op: bitmask value: "600" + type: manual remediation: | Run the below command (based on the file location on your system) on the control plane node. For example, @@ -951,12 +955,13 @@ groups: set: true - flag: "--feature-gates" set: false + type: skip remediation: | Edit the Controller Manager pod specification file $controllermanagerconf on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true Cluster provisioned by RKE handles certificate rotation directly through RKE. - scored: true + - id: 1.3.7 text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" diff --git a/cfg/rke-cis-1.24/node.yaml b/cfg/rke-cis-1.24/node.yaml index ca5dcc1..3d70aeb 100644 --- a/cfg/rke-cis-1.24/node.yaml +++ b/cfg/rke-cis-1.24/node.yaml @@ -410,7 +410,7 @@ groups: - id: 4.2.12 text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" - type: "manual" + type: skip audit: "/bin/ps -fC $kubeletbin" audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " tests: @@ -432,7 +432,6 @@ groups: systemctl daemon-reload systemctl restart kubelet.service Clusters provisioned by RKE handles certificate rotation directly through RKE. - scored: false - id: 4.2.13 text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)"