diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index de0f8b5..c8c51f2 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -1,6 +1,6 @@ --- controls: -version: 1.7 +version: 1.8 id: 2 text: "Worker Node Security Configuration" type: "node" @@ -8,260 +8,296 @@ groups: - id: 2.1 text: "Kubelet" checks: - - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--allow-privileged" - compare: - op: eq - value: false - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV - parameter to \"--allow-privileged=false\"" - scored: true + - id: 2.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--allow-privileged" + compare: + op: eq + value: false + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --allow-privileged=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--anonymous-auth" - compare: - op: eq - value: false - set: true - remediation: "Edit the $kubeletconf file on the master node and set the - KUBELET_ARGS parameter to \"--anonymous-auth=false\"" - scored: true - - - id: 2.1.3 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--authorization-mode" - compare: - op: nothave - value: "AlwaysAllow" - set: true - remediation: "Edit the $kubeletconf file on each node and set the - KUBELET_ARGS parameter to \"--authorization-mode=Webhook\"" - scored: true - - - id: 2.1.4 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--client-ca-file" - set: true - remediation: "Follow the Kubernetes documentation and setup the TLS connection between - the apiserver and kubelets. Then, edit the $kubeletconf file on each node - and set the KUBELET_ARGS parameter to \"--client-ca-file=\"" - scored: true + - id: 2.1.2 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --anonymous-auth=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.5 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--read-only-port" - compare: - op: eq - value: 0 - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS - parameter to \"--read-only-port=0\"" - scored: true - - - id: 2.1.6 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--streaming-connection-idle-timeout" - compare: - op: noteq - value: 0 - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS - parameter to \"--streaming-connection-idle-timeout=\"" - scored: true + - id: 2.1.3 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. + --authorization-mode=Webhook + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.7 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--protect-kernel-defaults" - compare: - op: eq - value: true - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS - parameter to \"--protect-kernel-defaults=true\"" - scored: true + - id: 2.1.4 + text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--client-ca-file" + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. + --client-ca-file= + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.8 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--make-iptables-util-chains" - compare: - op: eq - value: true - set: true - - flag: "--make-iptables-util-chains" - set: false - remediation: "Edit the $kubeletconf file on each node and remove the - --make-iptables-util-chains argument from the KUBELET_ARGS parameter." - scored: true + - id: 2.1.5 + text: "Ensure that the --read-only-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--read-only-port" + compare: + op: eq + value: 0 + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --read-only-port=0 + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.9 - text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--keep-terminated-pod-volumes" - compare: - op: eq - value: false - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS - parameter to \"--keep-terminated-pod-volumes=false\"" - scored: true + - id: 2.1.6 + text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--streaming-connection-idle-timeout" + compare: + op: noteq + value: 0 + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --streaming-connection-idle-timeout=5m + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.10 - text: "Ensure that the --hostname-override argument is not set (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--hostname-override" - set: false - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME - parameter to \"\"" - scored: true + - id: 2.1.7 + text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--protect-kernel-defaults" + compare: + op: eq + value: true + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --protect-kernel-defaults=true + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.11 - text: "Ensure that the --event-qps argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--event-qps" - compare: - op: eq - value: 0 - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS - parameter to \"--event-qps=0\"" - scored: true + - id: 2.1.8 + text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--make-iptables-util-chains" + compare: + op: eq + value: true + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and remove the --make-iptables-util-chains argument from the + KUBELET_SYSTEM_PODS_ARGS variable. + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.12 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--tls-cert-file" - set: true - - flag: "--tls-private-key-file" - set: true - remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. - Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS - parameter to include \"--tls-cert-file=\" and - \"--tls-private-key-file=\"" - scored: true + - id: 2.1.9 + text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--keep-terminated-pod-volumes" + compare: + op: eq + value: false + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --keep-terminated-pod-volumes=false + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.13 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "--cadvisor-port" - compare: - op: eq - value: 0 - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter - to \"--cadvisor-port=0\"" - scored: true + - id: 2.1.10 + text: "Ensure that the --hostname-override argument is not set (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--hostname-override" + set: false + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and remove the --hostname-override argument from the + KUBELET_SYSTEM_PODS_ARGS variable. + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.14 - text: "Ensure that the RotateKubeletClientCertificate argument is set to true" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "RotateKubeletClientCertificate" - compare: - op: eq - value: true - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter - to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"." - scored: true + - id: 2.1.11 + text: "Ensure that the --event-qps argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--event-qps" + compare: + op: eq + value: 0 + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. + --event-qps=0 + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - - id: 2.1.15 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true" - audit: "ps -ef | grep $kubeletbin | grep -v grep" - tests: - test_items: - - flag: "RotateKubeletServerCertificate" - compare: - op: eq - value: true - set: true - remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter - to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"." - scored: true + - id: 2.1.12 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: | + Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. + Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10- + kubeadm.conf on each worker node and set the below parameters in + KUBELET_CERTIFICATE_ARGS variable. + --tls-cert-file= + file= + --tls-private-key- + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: 2.1.13 + text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "--cadvisor-port" + compare: + op: eq + value: 0 + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. + --cadvisor-port=0 + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: 2.1.14 + text: "Ensure that the RotateKubeletClientCertificate argument is set to true" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "RotateKubeletClientCertificate" + compare: + op: eq + value: true + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and remove the --feature- + gates=RotateKubeletClientCertificate=false argument from the + KUBELET_CERTIFICATE_ARGS variable. + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true + + - id: 2.1.15 + text: "Ensure that the RotateKubeletServerCertificate argument is set to true" + audit: "ps -ef | grep $kubeletbin | grep -v grep" + tests: + test_items: + - flag: "RotateKubeletServerCertificate" + compare: + op: eq + value: true + set: true + remediation: | + Edit the kubelet service file $kubeletunitfile + on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. + --feature-gates=RotateKubeletServerCertificate=true + Based on your system, restart the kubelet service. For example: + systemctl daemon-reload + systemctl restart kubelet.service + scored: true - id: 2.2 text: "Configuration Files" checks: - id: 2.2.1 - text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $kubernetesconf" - scored: true - - - id: 2.2.2 - text: "Ensure that the config file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: root:root - set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $kubernetesconf" - scored: true - - - id: 2.2.3 - text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" + text: "Ensure that the kubelet.conf file permissions are set to 644 or + more restrictive (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or @@ -269,7 +305,7 @@ groups: - flag: "644" compare: op: eq - value: 644 + value: "644" set: true - flag: "640" compare: @@ -281,90 +317,124 @@ groups: op: eq value: "600" set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $kubeletconf" + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chmod 644 $kubeletconf scored: true - - id: 2.2.4 - text: "Ensure that the kubelet file ownership is set to root:root (Scored)" + - id: 2.2.2 + text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: - flag: "root:root" + compare: + op: eq + value: root:root set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $kubeletconf" + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chown root:root /etc/kubernetes/kubelet.conf + scored: true + + - id: 2.2.3 + text: "Ensure that the kubelet service file permissions are set to 644 or + more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: 644 + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chmod 755 $kubeletunitfile + scored: true + + - id: 2.2.4 + text: "Ensure that the kubelet service file permissions are set to 644 or + more restrictive (Scored)" + audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'" + tests: + test_items: + - flag: "root:root" + set: true + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chown root:root $kubeletunitfile scored: true - id: 2.2.5 - text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" + text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more + restrictive (Scored)" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" tests: bin_op: or test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chmod 644 $proxyconf" + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chmod 644 $proxyconf scored: true - id: 2.2.6 - text: "Ensure that the proxy file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'" + text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" tests: test_items: - - flag: "root:root" - set: true - remediation: "Run the below command (based on the file location on your system) on the each worker node. - \nFor example, chown root:root $proxyconf" + - flag: "root:root" + set: true + remediation: | + Run the below command (based on the file location on your system) on the each worker + node. For example, + chown root:root $proxyconf scored: true - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to - 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: "Run the following command to modify the file permissions of the --client-ca-file - \nchmod 644 " + 644 or more restrictive (Scored)" + type: manual + remediation: | + Run the following command to modify the file permissions of the --client-ca-file + chmod 644 scored: true - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" - tests: - test_items: - - flag: "notexist:notexist" - set: true - remediation: "Run the following command to modify the ownership of the --client-ca-file. - \nchown root:root " + type: manual + remediation: | + Run the following command to modify the ownership of the --client-ca-file . + chown root:root scored: true