arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-19 21:28:07 +00:00
Code Issues Releases Wiki Activity

Add [Manual test] to remediation in all the manual tests (#435)

Browse Source
This commit is contained in:
yoavrotems 2019-10-09 15:26:02 +00:00 committed by Liz Rice
parent 37f626dce6
commit 89afda1f63
12 changed files with 175 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cfg/1.11-json/node.yaml
View File

@ -462,8 +462,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true

23
cfg/1.11/master.yaml
View File

@ -579,6 +579,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@ -1001,8 +1002,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@ -1012,8 +1014,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@ -1297,6 +1300,7 @@ groups:
- flag: "--trusted-ca-file"
set: true
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@ -1311,6 +1315,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@ -1319,6 +1324,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@ -1327,6 +1333,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@ -1335,6 +1342,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@ -1361,6 +1369,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -1370,6 +1379,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@ -1377,6 +1387,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1393,6 +1404,7 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
@ -1403,6 +1415,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false
@ -1410,6 +1423,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false
@ -1417,6 +1431,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false
@ -1424,6 +1439,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false
@ -1431,6 +1447,7 @@ groups:
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
@ -1438,6 +1455,7 @@ groups:
text: "Do not admit root containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false
@ -1445,5 +1463,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false

3
cfg/1.11/node.yaml
View File

@ -451,8 +451,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true

5
cfg/1.13-json/node.yaml
View File

@ -231,7 +231,7 @@ groups:
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
type: skip
type: "skip"
tests:
bin_op: or
test_items:
@ -444,8 +444,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true

29
cfg/1.13/master.yaml
View File

@ -188,7 +188,7 @@ groups:
- id: 1.1.12
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: skip
type: "skip"
tests:
test_items:
- flag: "--enable-admission-plugins"
@ -571,6 +571,7 @@ groups:
- flag: "--encryption-provider-config"
set: true
remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf on the
master node and set the --encryption-provider-config parameter
@ -583,6 +584,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@ -1003,8 +1005,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@ -1014,8 +1017,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@ -1194,6 +1198,7 @@ groups:
value: "root root"
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
scored: true
@ -1221,6 +1226,7 @@ groups:
value: "600"
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true
@ -1237,6 +1243,7 @@ groups:
value: "600"
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
@ -1358,6 +1365,7 @@ groups:
- flag: "--trusted-ca-file"
set: true
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@ -1372,6 +1380,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@ -1380,6 +1389,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@ -1388,6 +1398,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@ -1396,6 +1407,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@ -1422,6 +1434,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -1431,6 +1444,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@ -1438,6 +1452,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1454,6 +1469,7 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
@ -1464,6 +1480,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false
@ -1471,6 +1488,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false
@ -1478,6 +1496,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false
@ -1485,6 +1504,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false
@ -1492,6 +1512,7 @@ groups:
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
@ -1499,6 +1520,7 @@ groups:
text: "Do not admit root containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false
@ -1506,5 +1528,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false

5
cfg/1.13/node.yaml
View File

@ -225,7 +225,7 @@ groups:
- id: 2.1.11
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
audit: "ps -fC $kubeletbin"
type: skip
type: "skip"
tests:
bin_op: or
test_items:
@ -433,8 +433,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true

51
cfg/1.6/master.yaml
View File

@ -909,58 +909,73 @@ groups:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
remediation: |
[Manual test]
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
remediation: |
[Manual test]
Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 1.6.5
text: "Avoid using Kubernetes Secrets (Not Scored)"
type: "manual"
remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
remediation: |
[Manual test]
Use other mechanisms such as vaults to manage your cluster secrets.
scored: false
- id: 1.6.6
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false
- id: 1.6.7
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 1.6.8
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false

65
cfg/1.7/master.yaml
View File

@ -484,8 +484,10 @@ groups:
text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider"
remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider
scored: true
- id: 1.2
@ -572,9 +574,11 @@ groups:
- id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
\"--feature-gates=RotateKubeletServerCertificate=true\""
remediation: |
[Manual test]
Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
"--feature-gates=RotateKubeletServerCertificate=true"
scored: false
- id: 1.3.7
@ -971,58 +975,73 @@ groups:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
remediation: |
[Manual test]
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
remediation: |
[Manual test]
Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
scored: false

19
cfg/1.8/master.yaml
View File

@ -559,6 +559,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@ -597,6 +598,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
@ -608,6 +610,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
[Manual test]
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed. For example,
--request-timeout=300s
@ -713,6 +716,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -922,8 +926,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@ -933,8 +938,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@ -1263,6 +1269,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@ -1271,6 +1278,7 @@ groups:
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
@ -1280,6 +1288,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@ -1288,6 +1297,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@ -1296,6 +1306,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@ -1322,6 +1333,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@ -1331,6 +1343,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@ -1338,6 +1351,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@ -1354,5 +1368,6 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false

3
cfg/1.8/node.yaml
View File

@ -423,8 +423,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
type: manual
type: "manual"
remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true

14
cfg/ocp-3.10/master.yaml
View File

@ -410,7 +410,7 @@ groups:
- id: 1.23
text: "Verify that the service account lookup flag is not set"
type: skip
type: "skip"
scored: true
- id: 1.24
@ -675,8 +675,9 @@ groups:
- id: 1.37
text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
type: manual
type: "manual"
remediation: |
[Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true
@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required"
type: "manual"
remediation: |
[Manual test]
Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin
@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use"
type: "manual"
remediation: |
[Manual test]
Review Security Context Constraints:
oc get scc
@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual"
remediation: |
[Manual test]
Review projects:
oc get projects
scored: false
@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual"
remediation: |
[Manual test]
Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml
@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual"
remediation: |
[Manual test]
Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints"
type: "manual"
remediation: |
[Manual test]
Review SCCs:
oc describe scc
@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual"
remediation: |
[Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false
@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate"
type: "manual"
remediation: |
[Manual test]
If ovs-networkplugin is used, review network policies:
oc get networkpolicies
@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual"
remediation: |
[Manual test]
1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers:

14
cfg/ocp-3.11/master.yaml
View File

@ -410,7 +410,7 @@ groups:
- id: 1.23
text: "Verify that the service account lookup flag is not set"
type: skip
type: "skip"
scored: true
- id: 1.24
@ -675,8 +675,9 @@ groups:
- id: 1.37
text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
type: manual
type: "manual"
remediation: |
[Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true
@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required"
type: "manual"
remediation: |
[Manual test]
Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin
@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use"
type: "manual"
remediation: |
[Manual test]
Review Security Context Constraints:
oc get scc
@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual"
remediation: |
[Manual test]
Review projects:
oc get projects
scored: false
@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual"
remediation: |
[Manual test]
Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml
@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual"
remediation: |
[Manual test]
Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints"
type: "manual"
remediation: |
[Manual test]
Review SCCs:
oc describe scc
@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual"
remediation: |
[Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false
@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate"
type: "manual"
remediation: |
[Manual test]
If ovs-networkplugin is used, review network policies:
oc get networkpolicies
@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual"
remediation: |
[Manual test]
1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers: