From 89afda1f63a1e0fb4f695eaf238433cf58ef5240 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Wed, 9 Oct 2019 15:26:02 +0000 Subject: [PATCH] Add [Manual test] to remediation in all the manual tests (#435) --- cfg/1.11-json/node.yaml | 3 +- cfg/1.11/master.yaml | 23 ++++++++++++-- cfg/1.11/node.yaml | 3 +- cfg/1.13-json/node.yaml | 5 ++-- cfg/1.13/master.yaml | 29 ++++++++++++++++-- cfg/1.13/node.yaml | 5 ++-- cfg/1.6/master.yaml | 51 ++++++++++++++++++++----------- cfg/1.7/master.yaml | 65 ++++++++++++++++++++++++++-------------- cfg/1.8/master.yaml | 19 ++++++++++-- cfg/1.8/node.yaml | 3 +- cfg/ocp-3.10/master.yaml | 14 +++++++-- cfg/ocp-3.11/master.yaml | 14 +++++++-- 12 files changed, 175 insertions(+), 59 deletions(-) diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml index 68d8e2d..3d1e781 100644 --- a/cfg/1.11-json/node.yaml +++ b/cfg/1.11-json/node.yaml @@ -462,8 +462,9 @@ groups: - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - type: manual + type: "manual" remediation: | + [Manual test] Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true diff --git a/cfg/1.11/master.yaml b/cfg/1.11/master.yaml index 9d905ac..b592295 100644 --- a/cfg/1.11/master.yaml +++ b/cfg/1.11/master.yaml @@ -579,6 +579,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc as the encryption provider. For example, @@ -1001,8 +1002,9 @@ groups: text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" audit: "stat -c %a " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chmod 644 @@ -1012,8 +1014,9 @@ groups: text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" audit: "stat -c %U:%G " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chown root:root @@ -1297,6 +1300,7 @@ groups: - flag: "--trusted-ca-file" set: true remediation: | + [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the @@ -1311,6 +1315,7 @@ groups: text: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: | + [Manual test] Remove any unneeded clusterrolebindings : kubectl delete clusterrolebinding [name] scored: false @@ -1319,6 +1324,7 @@ groups: text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false @@ -1327,6 +1333,7 @@ groups: text: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create NetworkPolicy objects as you need them. scored: false @@ -1335,6 +1342,7 @@ groups: definitions (Not Scored)" type: "manual" remediation: | + [Manual test] Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. @@ -1361,6 +1369,7 @@ groups: text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. @@ -1370,6 +1379,7 @@ groups: text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup image provenance. scored: false @@ -1377,6 +1387,7 @@ groups: text: "Configure Network policies as appropriate (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup network policies as appropriate. For example, you could create a "default" isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any traffic: @@ -1393,6 +1404,7 @@ groups: privileged containers usage (Not Scored)" type: "manual" remediation: | + [Manual test] Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. scored: false @@ -1403,6 +1415,7 @@ groups: text: "Do not admit privileged containers (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. scored: false @@ -1410,6 +1423,7 @@ groups: text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. scored: false @@ -1417,6 +1431,7 @@ groups: text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. scored: false @@ -1424,6 +1439,7 @@ groups: text: "Do not admit containers wishing to share the host network namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. scored: false @@ -1431,6 +1447,7 @@ groups: text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. scored: false @@ -1438,6 +1455,7 @@ groups: text: "Do not admit root containers (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. scored: false @@ -1445,5 +1463,6 @@ groups: text: "Do not admit containers with dangerous capabilities (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. scored: false diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml index 96098d1..9ddbdaa 100644 --- a/cfg/1.11/node.yaml +++ b/cfg/1.11/node.yaml @@ -451,8 +451,9 @@ groups: - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - type: manual + type: "manual" remediation: | + [Manual test] Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true diff --git a/cfg/1.13-json/node.yaml b/cfg/1.13-json/node.yaml index 3b34190..e3d4757 100644 --- a/cfg/1.13-json/node.yaml +++ b/cfg/1.13-json/node.yaml @@ -231,7 +231,7 @@ groups: # To check if the property is set as expected, we need to parse the kubelet command # instead reading the Kubelet Configuration file. audit: "ps -fC $kubeletbin" - type: skip + type: "skip" tests: bin_op: or test_items: @@ -444,8 +444,9 @@ groups: - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - type: manual + type: "manual" remediation: | + [Manual test] Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml index 46480d9..3402aa8 100644 --- a/cfg/1.13/master.yaml +++ b/cfg/1.13/master.yaml @@ -188,7 +188,7 @@ groups: - id: 1.1.12 text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" - type: skip + type: "skip" tests: test_items: - flag: "--enable-admission-plugins" @@ -571,6 +571,7 @@ groups: - flag: "--encryption-provider-config" set: true remediation: | + [Manual test] Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file $apiserverconf on the master node and set the --encryption-provider-config parameter @@ -583,6 +584,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc as the encryption provider. For example, @@ -1003,8 +1005,9 @@ groups: text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" audit: "stat -c %a " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chmod 644 @@ -1014,8 +1017,9 @@ groups: text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" audit: "stat -c %U:%G " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chown root:root @@ -1194,6 +1198,7 @@ groups: value: "root root" set: true remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/pki/ scored: true @@ -1221,6 +1226,7 @@ groups: value: "600" set: true remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt scored: true @@ -1237,6 +1243,7 @@ groups: value: "600" set: true remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key scored: true @@ -1358,6 +1365,7 @@ groups: - flag: "--trusted-ca-file" set: true remediation: | + [Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the @@ -1372,6 +1380,7 @@ groups: text: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: | + [Manual test] Remove any unneeded clusterrolebindings : kubectl delete clusterrolebinding [name] scored: false @@ -1380,6 +1389,7 @@ groups: text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false @@ -1388,6 +1398,7 @@ groups: text: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create NetworkPolicy objects as you need them. scored: false @@ -1396,6 +1407,7 @@ groups: definitions (Not Scored)" type: "manual" remediation: | + [Manual test] Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. @@ -1422,6 +1434,7 @@ groups: text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. @@ -1431,6 +1444,7 @@ groups: text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup image provenance. scored: false @@ -1438,6 +1452,7 @@ groups: text: "Configure Network policies as appropriate (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup network policies as appropriate. For example, you could create a "default" isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any traffic: @@ -1454,6 +1469,7 @@ groups: privileged containers usage (Not Scored)" type: "manual" remediation: | + [Manual test] Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. scored: false @@ -1464,6 +1480,7 @@ groups: text: "Do not admit privileged containers (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. scored: false @@ -1471,6 +1488,7 @@ groups: text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. scored: false @@ -1478,6 +1496,7 @@ groups: text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. scored: false @@ -1485,6 +1504,7 @@ groups: text: "Do not admit containers wishing to share the host network namespace (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. scored: false @@ -1492,6 +1512,7 @@ groups: text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. scored: false @@ -1499,6 +1520,7 @@ groups: text: "Do not admit root containers (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. scored: false @@ -1506,5 +1528,6 @@ groups: text: "Do not admit containers with dangerous capabilities (Not Scored)" type: "manual" remediation: | + [Manual test] Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. scored: false diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml index cb288e5..7939041 100644 --- a/cfg/1.13/node.yaml +++ b/cfg/1.13/node.yaml @@ -225,7 +225,7 @@ groups: - id: 2.1.11 text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)" audit: "ps -fC $kubeletbin" - type: skip + type: "skip" tests: bin_op: or test_items: @@ -433,8 +433,9 @@ groups: - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - type: manual + type: "manual" remediation: | + [Manual test] Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml index 1db170f..469c413 100644 --- a/cfg/1.6/master.yaml +++ b/cfg/1.6/master.yaml @@ -909,58 +909,73 @@ groups: - id: 1.6.1 text: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" - remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" + remediation: | + [Manual test] + Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name] scored: false - id: 1.6.2 text: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" - remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. - Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the - suggested Pod Security Policies for your environment." + remediation: | + [Manual test] + Follow the documentation and create and enforce Pod Security Policies for your cluster. + Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the + suggested Pod Security Policies for your environment. scored: false - id: 1.6.3 text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" - remediation: "Follow the documentation and create namespaces for objects in your deployment as you - need them." + remediation: | + [Manual test] + Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false - id: 1.6.4 text: "Create network segmentation using Network Policies (Not Scored)" type: "manual" - remediation: "Follow the documentation and create NetworkPolicy objects as you need them." + remediation: | + [Manual test] + Follow the documentation and create NetworkPolicy objects as you need them. scored: false - id: 1.6.5 text: "Avoid using Kubernetes Secrets (Not Scored)" type: "manual" - remediation: "Use other mechanisms such as vaults to manage your cluster secrets." + remediation: | + [Manual test] + Use other mechanisms such as vaults to manage your cluster secrets. scored: false - id: 1.6.6 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" - remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you - would need to enable alpha features in the apiserver by passing \"--feature- - gates=AllAlpha=true\" argument.\n - Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS - parameter to \"--feature-gates=AllAlpha=true\" - KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" + remediation: | + [Manual test] + Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you + would need to enable alpha features in the apiserver by passing "--feature- + gates=AllAlpha=true" argument. + Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to "--feature-gates=AllAlpha=true" + KUBE_API_ARGS="--feature-gates=AllAlpha=true" scored: false - id: 1.6.7 text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" - remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a - suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker - Containers." + remediation: | + [Manual test] + Follow the Kubernetes documentation and apply security contexts to your pods. For a + suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker + Containers. scored: false - id: 1.6.8 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" - remediation: "Follow the Kubernetes documentation and setup image provenance." + remediation: | + [Manual test] + Follow the Kubernetes documentation and setup image provenance. scored: false diff --git a/cfg/1.7/master.yaml b/cfg/1.7/master.yaml index fa35e39..950b6b1 100644 --- a/cfg/1.7/master.yaml +++ b/cfg/1.7/master.yaml @@ -484,8 +484,10 @@ groups: text: "Ensure that the encryption provider is set to aescbc (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" - remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, - choose aescbc as the encryption provider" + remediation: | + [Manual test] + Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, + choose aescbc as the encryption provider scored: true - id: 1.2 @@ -572,9 +574,11 @@ groups: - id: 1.3.6 text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" - remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the - KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include - \"--feature-gates=RotateKubeletServerCertificate=true\"" + remediation: | + [Manual test] + Edit the /etc/kubernetes/controller-manager file on the master node and set the + KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include + "--feature-gates=RotateKubeletServerCertificate=true" scored: false - id: 1.3.7 @@ -971,58 +975,73 @@ groups: - id: 1.6.1 text: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" - remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" + remediation: | + [Manual test] + Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name] scored: false - id: 1.6.2 text: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" - remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. - Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the - suggested Pod Security Policies for your environment." + remediation: | + [Manual test] + Follow the documentation and create and enforce Pod Security Policies for your cluster. + Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the + suggested Pod Security Policies for your environment. scored: false - id: 1.6.3 text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" - remediation: "Follow the documentation and create namespaces for objects in your deployment as you - need them." + remediation: | + [Manual test] + Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false - id: 1.6.4 text: "Create network segmentation using Network Policies (Not Scored)" type: "manual" - remediation: "Follow the documentation and create NetworkPolicy objects as you need them." + remediation: | + [Manual test] + Follow the documentation and create NetworkPolicy objects as you need them. scored: false - id: 1.6.5 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" type: "manual" - remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you - would need to enable alpha features in the apiserver by passing \"--feature- - gates=AllAlpha=true\" argument.\n - Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS - parameter to \"--feature-gates=AllAlpha=true\" - KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" + remediation: | + [Manual test] + Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you + would need to enable alpha features in the apiserver by passing "--feature- + gates=AllAlpha=true" argument. + Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS + parameter to "--feature-gates=AllAlpha=true" + KUBE_API_ARGS="--feature-gates=AllAlpha=true" scored: false - id: 1.6.6 text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" - remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a - suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker - Containers." + remediation: | + [Manual test] + Follow the Kubernetes documentation and apply security contexts to your pods. For a + suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker + Containers. scored: false - id: 1.6.7 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" - remediation: "Follow the Kubernetes documentation and setup image provenance." + remediation: | + [Manual test] + Follow the Kubernetes documentation and setup image provenance. scored: false - id: 1.6.8 text: "Configure Network policies as appropriate (Not Scored)" type: "manual" - remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." + remediation: | + [Manual test] + Follow the Kubernetes documentation and setup network policies as appropriate. scored: false diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index f52ed96..d506a75 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -559,6 +559,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc as the encryption provider. For example, @@ -597,6 +598,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and set the desired audit policy in the /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf and set the below parameters. @@ -608,6 +610,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | + [Manual test] Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, --request-timeout=300s @@ -713,6 +716,7 @@ groups: text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. @@ -922,8 +926,9 @@ groups: text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" audit: "stat -c %a " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chmod 644 @@ -933,8 +938,9 @@ groups: text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" audit: "stat -c %U:%G " - type: manual + type: "manual" remediation: | + [Manual test] Run the below command (based on the file location on your system) on the master node. For example, chown root:root @@ -1263,6 +1269,7 @@ groups: text: "Ensure that the cluster-admin role is only used where required (Not Scored)" type: "manual" remediation: | + [Manual test] Remove any unneeded clusterrolebindings : kubectl delete clusterrolebinding [name] scored: false @@ -1271,6 +1278,7 @@ groups: text: "Create Pod Security Policies for your cluster (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create and enforce Pod Security Policies for your cluster. Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the suggested Pod Security Policies for your environment. @@ -1280,6 +1288,7 @@ groups: text: "Create administrative boundaries between resources using namespaces (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create namespaces for objects in your deployment as you need them. scored: false @@ -1288,6 +1297,7 @@ groups: text: "Create network segmentation using Network Policies (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the documentation and create NetworkPolicy objects as you need them. scored: false @@ -1296,6 +1306,7 @@ groups: definitions (Not Scored)" type: "manual" remediation: | + [Manual test] Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you would need to enable alpha features in the apiserver by passing "--feature- gates=AllAlpha=true" argument. @@ -1322,6 +1333,7 @@ groups: text: "Apply Security Context to Your Pods and Containers (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and apply security contexts to your pods. For a suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker Containers. @@ -1331,6 +1343,7 @@ groups: text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup image provenance. scored: false @@ -1338,6 +1351,7 @@ groups: text: "Configure Network policies as appropriate (Not Scored)" type: "manual" remediation: | + [Manual test] Follow the Kubernetes documentation and setup network policies as appropriate. For example, you could create a "default" isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any traffic: @@ -1354,5 +1368,6 @@ groups: privileged containers usage (Not Scored)" type: "manual" remediation: | + [Manual test] Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. scored: false diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index 7740d72..3dd01be 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -423,8 +423,9 @@ groups: - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - type: manual + type: "manual" remediation: | + [Manual test] Run the following command to modify the file permissions of the --client-ca-file chmod 644 scored: true diff --git a/cfg/ocp-3.10/master.yaml b/cfg/ocp-3.10/master.yaml index ed35fcd..a67ccb6 100644 --- a/cfg/ocp-3.10/master.yaml +++ b/cfg/ocp-3.10/master.yaml @@ -410,7 +410,7 @@ groups: - id: 1.23 text: "Verify that the service account lookup flag is not set" - type: skip + type: "skip" scored: true - id: 1.24 @@ -675,8 +675,9 @@ groups: - id: 1.37 text: "Adjust the request timeout argument for your cluster resources" audit: "grep request-timeout /etc/origin/master/master-config.yaml" - type: manual + type: "manual" remediation: | + [Manual test] change the request-timeout value in the  /etc/origin/master/master-config.yaml scored: true @@ -1313,6 +1314,7 @@ groups: text: "Ensure that the cluster-admin role is only used where required" type: "manual" remediation: | + [Manual test] Review users, groups, serviceaccounts bound to cluster-admin: oc get clusterrolebindings | grep cluster-admin @@ -1324,6 +1326,7 @@ groups: text: "Verify Security Context Constraints as in use" type: "manual" remediation: | + [Manual test] Review Security Context Constraints: oc get scc @@ -1341,6 +1344,7 @@ groups: text: "Use OpenShift projects to maintain boundaries between resources" type: "manual" remediation: | + [Manual test] Review projects: oc get projects scored: false @@ -1349,6 +1353,7 @@ groups: text: "Create network segmentation using the Multi-tenant plugin or Network Policies" type: "manual" remediation: | + [Manual test] Verify on masters the plugin being used: grep networkPluginName /etc/origin/master/master-config.yaml @@ -1372,6 +1377,7 @@ groups: text: "Enable seccomp and configure custom Security Context Constraints" type: "manual" remediation: | + [Manual test] Verify SCCs that have been configured with seccomp: oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles @@ -1386,6 +1392,7 @@ groups: text: "Review Security Context Constraints" type: "manual" remediation: | + [Manual test] Review SCCs: oc describe scc @@ -1410,6 +1417,7 @@ groups: text: "Manage Image Provenance using ImagePolicyWebhook admission controller" type: "manual" remediation: | + [Manual test] Review imagePolicyConfig in /etc/origin/master/master-config.yaml. scored: false @@ -1417,6 +1425,7 @@ groups: text: "Configure Network policies as appropriate" type: "manual" remediation: | + [Manual test] If ovs-networkplugin is used, review network policies: oc get networkpolicies @@ -1429,6 +1438,7 @@ groups: text: "Use Security Context Constraints as compensating controls for privileged containers" type: "manual" remediation: | + [Manual test] 1) Determine all sccs allowing privileged containers: oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer 2) Review users and groups assigned to sccs allowing priviliged containers: diff --git a/cfg/ocp-3.11/master.yaml b/cfg/ocp-3.11/master.yaml index ed35fcd..a67ccb6 100644 --- a/cfg/ocp-3.11/master.yaml +++ b/cfg/ocp-3.11/master.yaml @@ -410,7 +410,7 @@ groups: - id: 1.23 text: "Verify that the service account lookup flag is not set" - type: skip + type: "skip" scored: true - id: 1.24 @@ -675,8 +675,9 @@ groups: - id: 1.37 text: "Adjust the request timeout argument for your cluster resources" audit: "grep request-timeout /etc/origin/master/master-config.yaml" - type: manual + type: "manual" remediation: | + [Manual test] change the request-timeout value in the  /etc/origin/master/master-config.yaml scored: true @@ -1313,6 +1314,7 @@ groups: text: "Ensure that the cluster-admin role is only used where required" type: "manual" remediation: | + [Manual test] Review users, groups, serviceaccounts bound to cluster-admin: oc get clusterrolebindings | grep cluster-admin @@ -1324,6 +1326,7 @@ groups: text: "Verify Security Context Constraints as in use" type: "manual" remediation: | + [Manual test] Review Security Context Constraints: oc get scc @@ -1341,6 +1344,7 @@ groups: text: "Use OpenShift projects to maintain boundaries between resources" type: "manual" remediation: | + [Manual test] Review projects: oc get projects scored: false @@ -1349,6 +1353,7 @@ groups: text: "Create network segmentation using the Multi-tenant plugin or Network Policies" type: "manual" remediation: | + [Manual test] Verify on masters the plugin being used: grep networkPluginName /etc/origin/master/master-config.yaml @@ -1372,6 +1377,7 @@ groups: text: "Enable seccomp and configure custom Security Context Constraints" type: "manual" remediation: | + [Manual test] Verify SCCs that have been configured with seccomp: oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles @@ -1386,6 +1392,7 @@ groups: text: "Review Security Context Constraints" type: "manual" remediation: | + [Manual test] Review SCCs: oc describe scc @@ -1410,6 +1417,7 @@ groups: text: "Manage Image Provenance using ImagePolicyWebhook admission controller" type: "manual" remediation: | + [Manual test] Review imagePolicyConfig in /etc/origin/master/master-config.yaml. scored: false @@ -1417,6 +1425,7 @@ groups: text: "Configure Network policies as appropriate" type: "manual" remediation: | + [Manual test] If ovs-networkplugin is used, review network policies: oc get networkpolicies @@ -1429,6 +1438,7 @@ groups: text: "Use Security Context Constraints as compensating controls for privileged containers" type: "manual" remediation: | + [Manual test] 1) Determine all sccs allowing privileged containers: oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer 2) Review users and groups assigned to sccs allowing priviliged containers: