Update 1.8 node definition.

cfg/1.8/node.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: 1.7
+version: 1.8
 id: 2
 text: "Worker Node Security Configuration"
 type: "node"
@@ -18,8 +18,13 @@ groups:
           op: eq
           value: false
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV 
+    remediation: |
-              parameter to \"--allow-privileged=false\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --allow-privileged=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.2
@@ -32,8 +37,13 @@ groups:
           op: eq
           value: false
         set: true
-      remediation: "Edit the $kubeletconf file on the master node and set the 
+    remediation: |
-              KUBELET_ARGS parameter to \"--anonymous-auth=false\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --anonymous-auth=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.3
@@ -46,8 +56,13 @@ groups:
           op: nothave
           value: "AlwaysAllow"
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the 
+    remediation: |
-              KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --authorization-mode=Webhook
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.4
@@ -57,9 +72,13 @@ groups:
       test_items:
       - flag: "--client-ca-file"
         set: true 
-      remediation: "Follow the Kubernetes documentation and setup the TLS connection between 
+    remediation: |
-              the apiserver and kubelets. Then, edit the $kubeletconf file on each node 
+      Edit the kubelet service file $kubeletunitfile
-              and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
+      on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
+      --client-ca-file=<path/to/client-ca-file>
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.5
@@ -72,23 +91,32 @@ groups:
           op: eq
           value: 0
         set: true 
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 
+    remediation: |
-              parameter to \"--read-only-port=0\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --read-only-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.6
     text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
     audit: "ps -ef | grep $kubeletbin | grep -v grep"
     tests:
-        bin_op: or
       test_items:
       - flag: "--streaming-connection-idle-timeout"
         compare:
           op: noteq
           value: 0
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 
+    remediation: |
-              parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --streaming-connection-idle-timeout=5m
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.7
@@ -101,8 +129,13 @@ groups:
           op: eq
           value: true
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 
+    remediation: |
-              parameter to \"--protect-kernel-defaults=true\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --protect-kernel-defaults=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.8
@@ -116,10 +149,13 @@ groups:
           op: eq
           value: true
         set: true
-          - flag: "--make-iptables-util-chains"
+    remediation: |
-            set: false
+      Edit the kubelet service file $kubeletunitfile
-      remediation: "Edit the $kubeletconf file on each node and remove the 
+      on each worker node and remove the --make-iptables-util-chains argument from the
-              --make-iptables-util-chains argument from the KUBELET_ARGS parameter."
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.9
@@ -132,8 +168,13 @@ groups:
           op: eq
           value: false
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 
+    remediation: |
-              parameter to \"--keep-terminated-pod-volumes=false\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --keep-terminated-pod-volumes=false
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.10
@@ -143,8 +184,13 @@ groups:
       test_items:
       - flag: "--hostname-override"
         set: false
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME 
+    remediation: |
-              parameter to \"\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and remove the --hostname-override argument from the
+      KUBELET_SYSTEM_PODS_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.11
@@ -157,8 +203,13 @@ groups:
           op: eq
           value: 0
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS 
+    remediation: |
-              parameter to \"--event-qps=0\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+      --event-qps=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.12
@@ -170,10 +221,17 @@ groups:
         set: true
       - flag: "--tls-private-key-file"
         set: true
-      remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. 
+    remediation: |
-              Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS 
+      Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
-              parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and 
+      Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-
-              \"--tls-private-key-file=<path/to/tls-key-file>\""
+      kubeadm.conf on each worker node and set the below parameters in
+      KUBELET_CERTIFICATE_ARGS variable.
+      --tls-cert-file=<path/to/tls-certificate-file>
+      file=<path/to/tls-key-file>
+      --tls-private-key-
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.13
@@ -186,8 +244,13 @@ groups:
           op: eq
           value: 0
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter 
+    remediation: |
-              to \"--cadvisor-port=0\""
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
+      --cadvisor-port=0
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.14
@@ -200,8 +263,14 @@ groups:
           op: eq
           value: true
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
+    remediation: |
-              to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and remove the --feature-
+      gates=RotateKubeletClientCertificate=false argument from the
+      KUBELET_CERTIFICATE_ARGS variable.
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
   - id: 2.1.15
@@ -214,16 +283,22 @@ groups:
           op: eq
           value: true
         set: true
-      remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
+    remediation: |
-              to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
+      Edit the kubelet service file $kubeletunitfile
+      on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+      --feature-gates=RotateKubeletServerCertificate=true
+      Based on your system, restart the kubelet service. For example:
+      systemctl daemon-reload
+      systemctl restart kubelet.service
     scored: true
 
 - id: 2.2
   text: "Configuration Files"
   checks:
     - id: 2.2.1
-      text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
+      text: "Ensure that the kubelet.conf file permissions are set to 644 or
-      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
       tests:
         bin_op: or
         test_items:
@@ -242,13 +317,15 @@ groups:
               op: eq
               value: "600"
             set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chmod 644 $kubernetesconf"
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $kubeletconf
       scored: true
 
     - id: 2.2.2
-      text: "Ensure that the config file ownership is set to root:root (Scored)"
+      text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
+      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
       tests:
         test_items:
           - flag: "root:root"
@@ -256,13 +333,16 @@ groups:
               op: eq
               value: root:root
             set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chown root:root $kubernetesconf"
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root /etc/kubernetes/kubelet.conf
       scored: true
 
     - id: 2.2.3
-      text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
+      text: "Ensure that the kubelet service file permissions are set to 644 or
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'"
       tests:
         bin_op: or
         test_items:
@@ -281,23 +361,29 @@ groups:
             op: eq
             value: "600"
           set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chmod 644 $kubeletconf"
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 755 $kubeletunitfile
       scored: true
 
     - id: 2.2.4
-      text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
+      text: "Ensure that the kubelet service file permissions are set to 644 or
-      audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+      more restrictive (Scored)"
+      audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'"
       tests:
         test_items:
         - flag: "root:root"
           set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chown root:root $kubeletconf"
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chown root:root $kubeletunitfile
       scored: true
 
     - id: 2.2.5
-      text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
+      text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
+      restrictive (Scored)"
       audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
       tests:
         bin_op: or
@@ -317,54 +403,38 @@ groups:
             op: eq
             value: "600"
           set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chmod 644 $proxyconf"
+        Run the below command (based on the file location on your system) on the each worker
+        node. For example,
+        chmod 644 $proxyconf
       scored: true
 
     - id: 2.2.6
-      text: "Ensure that the proxy file ownership is set to root:root (Scored)"
+      text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
-      audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
       tests:
         test_items:
         - flag: "root:root"
           set: true
-      remediation: "Run the below command (based on the file location on your system) on the each worker node. 
+      remediation: |
-              \nFor example, chown root:root $proxyconf"
+          Run the below command (based on the file location on your system) on the each worker
+          node. For example,
+          chown root:root $proxyconf
       scored: true
 
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
+      type: manual
-      tests:
+      remediation: |
-        bin_op: or
+        Run the following command to modify the file permissions of the --client-ca-file
-        test_items:
+        chmod 644 <filename>
-          - flag: "644"
-            compare:
-              op: eq
-              value: "644"
-            set: true
-          - flag: "640"
-            compare:
-              op: eq
-              value: "640"
-            set: true
-          - flag: "600"
-            compare:
-              op: eq
-              value: "600"
-            set: true
-      remediation: "Run the following command to modify the file permissions of the --client-ca-file
-              \nchmod 644 <filename>"
       scored: true
 
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root"
       audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
-      tests:
+      type: manual
-        test_items:
+      remediation: |
-          - flag: "notexist:notexist"
+        Run the following command to modify the ownership of the --client-ca-file .
-            set: true
+        chown root:root <filename>
-      remediation: "Run the following command to modify the ownership of the --client-ca-file.
-              \nchown root:root <filename>"
       scored: true