arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

FIXING RKE CIS CHECKS

Browse Source 
In this change we are making 2 changes:
1. adding the check Type as manual for some manual checks for which the type was missing or incorrect
2. Some checks are being skipped as they are not applicable for an RKE2 cluster
This commit is contained in:
Saurabh Misra 2024-09-16 16:06:42 +05:30
parent 5a3fd1d896
commit 7e59a9d555
7 changed files with 13 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cfg/ack-1.0/master.yaml
View File

@ -896,25 +896,7 @@ groups:
--root-ca-file=<path/to/file> --root-ca-file=<path/to/file>
scored: true scored: true
- id: 1.3.6 -
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "RotateKubeletServerCertificate=false"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true
scored: true
- id: 1.3.7 - id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"

2
cfg/ack-1.0/policies.yaml
View File

@ -150,7 +150,7 @@ groups:
- id: 5.3.2 - id: 5.3.2
text: "Ensure that all Namespaces have Network Policies defined (Manual)" text: "Ensure that all Namespaces have Network Policies defined (Manual)"
type: "manual" type: manual
remediation: | remediation: |
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false

2
cfg/aks-1.0/policies.yaml
View File

@ -121,7 +121,7 @@ groups:
- id: 4.2.8 - id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)" text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual" type: manual
remediation: | remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.

26
cfg/cis-1.5/node.yaml
View File

@ -433,32 +433,6 @@ groups:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
- id: 4.2.12
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare:
op: nothave
value: false
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"

1
cfg/cis-1.9/node.yaml
View File

@ -428,6 +428,7 @@ groups:
compare: compare:
op: valid_elements op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
type: manual
remediation: | remediation: |
If using a Kubelet config file, edit the file to set `TLSCipherSuites` to If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

11
cfg/rke-cis-1.24/master.yaml
View File

@ -139,14 +139,16 @@ groups:
scored: false scored: false
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)" text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
audit: | audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true use_multiple_values: true
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
type: manual
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
@ -163,6 +165,7 @@ groups:
op: eq op: eq
value: "700" value: "700"
set: true set: true
type: manual
remediation: | remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir, On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'. from the command 'ps -ef | grep etcd'.
@ -287,7 +290,7 @@ groups:
scored: true scored: true
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)" text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"
audit: | audit: |
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
tests: tests:
@ -298,6 +301,7 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
type: manual
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
@ -951,12 +955,13 @@ groups:
set: true set: true
- flag: "--feature-gates" - flag: "--feature-gates"
set: false set: false
type: skip
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
Cluster provisioned by RKE handles certificate rotation directly through RKE. Cluster provisioned by RKE handles certificate rotation directly through RKE.
scored: true
- id: 1.3.7 - id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"

3
cfg/rke-cis-1.24/node.yaml
View File

@ -410,7 +410,7 @@ groups:
- id: 4.2.12 - id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type: "manual" type: skip
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests: tests:
@ -432,7 +432,6 @@ groups:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
Clusters provisioned by RKE handles certificate rotation directly through RKE. Clusters provisioned by RKE handles certificate rotation directly through RKE.
scored: false
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)"