Add [Manual test] to remediation in all the manual tests (#435)

cfg/1.11-json/node.yaml

@@ -462,8 +462,9 @@ groups:
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      type: manual
+      type: "manual"
       remediation: |
+        [Manual test]
         Run the following command to modify the file permissions of the --client-ca-file
         chmod 644 <filename>
       scored: true

cfg/1.11/master.yaml

@@ -579,6 +579,7 @@ groups:
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
       choose aescbc as the encryption provider.
       For example,
@@ -1001,8 +1002,9 @@ groups:
     text: "Ensure that the Container Network Interface file permissions are
     set to 644 or more restrictive (Not Scored)"
     audit: "stat -c %a <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chmod 644 <path/to/cni/files>
@@ -1012,8 +1014,9 @@ groups:
     text: "Ensure that the Container Network Interface file ownership is set
     to root:root (Not Scored)"
     audit: "stat -c %U:%G <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chown root:root <path/to/cni/files>
@@ -1297,6 +1300,7 @@ groups:
       - flag: "--trusted-ca-file"
         set: true
     remediation: |
+      [Manual test]
       Follow the etcd documentation and create a dedicated certificate authority setup for the
       etcd service.
       Then, edit the etcd pod specification file $etcdconf on the
@@ -1311,6 +1315,7 @@ groups:
     text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Remove any unneeded clusterrolebindings :
       kubectl delete clusterrolebinding [name]
     scored: false
@@ -1319,6 +1324,7 @@ groups:
     text: "Create administrative boundaries between resources using namespaces (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create namespaces for objects in your deployment as you
       need them.
     scored: false
@@ -1327,6 +1333,7 @@ groups:
     text: "Create network segmentation using Network Policies (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create NetworkPolicy objects as you need them.
     scored: false
 
@@ -1335,6 +1342,7 @@ groups:
     definitions (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
       would need to enable alpha features in the apiserver by passing "--feature-
       gates=AllAlpha=true" argument.
@@ -1361,6 +1369,7 @@ groups:
     text: "Apply Security Context to Your Pods and Containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and apply security contexts to your pods. For a
       suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
       Containers.
@@ -1370,6 +1379,7 @@ groups:
     text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup image provenance.
     scored: false
 
@@ -1377,6 +1387,7 @@ groups:
     text: "Configure Network policies as appropriate (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup network policies as appropriate.
       For example, you could create a "default" isolation policy for a Namespace by creating a
       NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1393,6 +1404,7 @@ groups:
     privileged containers usage (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
     scored: false
 
@@ -1403,6 +1415,7 @@ groups:
     text: "Do not admit privileged containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
     scored: false
 
@@ -1410,6 +1423,7 @@ groups:
     text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
     type: "manual"
     remediation: |
+     [Manual test]
      Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
     scored: false
 
@@ -1417,6 +1431,7 @@ groups:
     text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
     scored: false
 
@@ -1424,6 +1439,7 @@ groups:
     text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
     scored: false
 
@@ -1431,6 +1447,7 @@ groups:
     text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
     scored: false
 
@@ -1438,6 +1455,7 @@ groups:
     text: "Do not admit root containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
     scored: false
 
@@ -1445,5 +1463,6 @@ groups:
     text: "Do not admit containers with dangerous capabilities (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
     scored: false

cfg/1.11/node.yaml

@@ -451,8 +451,9 @@ groups:
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      type: manual
+      type: "manual"
       remediation: |
+        [Manual test]
         Run the following command to modify the file permissions of the --client-ca-file
         chmod 644 <filename>
       scored: true

cfg/1.13-json/node.yaml

@@ -231,7 +231,7 @@ groups:
     # To check if the property is set as expected, we need to parse the kubelet command 
     # instead reading the Kubelet Configuration file.
     audit: "ps -fC $kubeletbin"
-    type: skip
+    type: "skip"
     tests:
       bin_op: or
       test_items:
@@ -444,8 +444,9 @@ groups:
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      type: manual
+      type: "manual"
       remediation: |
+        [Manual test]
         Run the following command to modify the file permissions of the --client-ca-file
         chmod 644 <filename>
       scored: true

cfg/1.13/master.yaml

@@ -188,7 +188,7 @@ groups:
   - id: 1.1.12
     text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
-    type: skip
+    type: "skip"
     tests:
       test_items:
       - flag: "--enable-admission-plugins"
@@ -571,6 +571,7 @@ groups:
       - flag: "--encryption-provider-config"
         set: true
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and configure a EncryptionConfig file.
       Then, edit the API server pod specification file $apiserverconf on the
       master node and set the --encryption-provider-config parameter
@@ -583,6 +584,7 @@ groups:
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
       choose aescbc as the encryption provider.
       For example,
@@ -1003,8 +1005,9 @@ groups:
     text: "Ensure that the Container Network Interface file permissions are
     set to 644 or more restrictive (Not Scored)"
     audit: "stat -c %a <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chmod 644 <path/to/cni/files>
@@ -1014,8 +1017,9 @@ groups:
     text: "Ensure that the Container Network Interface file ownership is set
     to root:root (Not Scored)"
     audit: "stat -c %U:%G <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chown root:root <path/to/cni/files>
@@ -1194,6 +1198,7 @@ groups:
           value: "root root"
         set: true
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node. 
       For example, chown -R root:root /etc/kubernetes/pki/
     scored: true
@@ -1221,6 +1226,7 @@ groups:
             value: "600"
           set: true
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node. 
       For example, chmod -R 644 /etc/kubernetes/pki/*.crt
     scored: true
@@ -1237,6 +1243,7 @@ groups:
             value: "600"
           set: true
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node. 
       For example, chmod -R 600 /etc/kubernetes/pki/*.key
     scored: true
@@ -1358,6 +1365,7 @@ groups:
       - flag: "--trusted-ca-file"
         set: true
     remediation: |
+      [Manual test]
       Follow the etcd documentation and create a dedicated certificate authority setup for the
       etcd service.
       Then, edit the etcd pod specification file $etcdconf on the
@@ -1372,6 +1380,7 @@ groups:
     text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Remove any unneeded clusterrolebindings :
       kubectl delete clusterrolebinding [name]
     scored: false
@@ -1380,6 +1389,7 @@ groups:
     text: "Create administrative boundaries between resources using namespaces (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create namespaces for objects in your deployment as you
       need them.
     scored: false
@@ -1388,6 +1398,7 @@ groups:
     text: "Create network segmentation using Network Policies (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create NetworkPolicy objects as you need them.
     scored: false
 
@@ -1396,6 +1407,7 @@ groups:
     definitions (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
       would need to enable alpha features in the apiserver by passing "--feature-
       gates=AllAlpha=true" argument.
@@ -1422,6 +1434,7 @@ groups:
     text: "Apply Security Context to Your Pods and Containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and apply security contexts to your pods. For a
       suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
       Containers.
@@ -1431,6 +1444,7 @@ groups:
     text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup image provenance.
     scored: false
 
@@ -1438,6 +1452,7 @@ groups:
     text: "Configure Network policies as appropriate (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup network policies as appropriate.
       For example, you could create a "default" isolation policy for a Namespace by creating a
       NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1454,6 +1469,7 @@ groups:
     privileged containers usage (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
     scored: false
 
@@ -1464,6 +1480,7 @@ groups:
     text: "Do not admit privileged containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
     scored: false
 
@@ -1471,6 +1488,7 @@ groups:
     text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
     type: "manual"
     remediation: |
+     [Manual test]
      Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
     scored: false
 
@@ -1478,6 +1496,7 @@ groups:
     text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
     scored: false
 
@@ -1485,6 +1504,7 @@ groups:
     text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
     scored: false
 
@@ -1492,6 +1512,7 @@ groups:
     text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
     scored: false
 
@@ -1499,6 +1520,7 @@ groups:
     text: "Do not admit root containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
     scored: false
 
@@ -1506,5 +1528,6 @@ groups:
     text: "Do not admit containers with dangerous capabilities (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
     scored: false

cfg/1.13/node.yaml

@@ -225,7 +225,7 @@ groups:
   - id: 2.1.11
     text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
     audit: "ps -fC $kubeletbin"
-    type: skip
+    type: "skip"
     tests:
       bin_op: or
       test_items:
@@ -433,8 +433,9 @@ groups:
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      type: manual
+      type: "manual"
       remediation: |
+        [Manual test]
         Run the following command to modify the file permissions of the --client-ca-file
         chmod 644 <filename>
       scored: true

cfg/1.6/master.yaml

@@ -909,58 +909,73 @@ groups:
     - id: 1.6.1
       text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
       type: "manual"
-      remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+      remediation: |
+        [Manual test]
+        Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
       scored: false
 
     - id: 1.6.2
       text: "Create Pod Security Policies for your cluster (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
+      remediation: |
-              Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
+        [Manual test]
-              suggested Pod Security Policies for your environment."
+        Follow the documentation and create and enforce Pod Security Policies for your cluster.
+        Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
+        suggested Pod Security Policies for your environment.
       scored: false
 
     - id: 1.6.3
       text: "Create administrative boundaries between resources using namespaces (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create namespaces for objects in your deployment as you
+      remediation: |
-              need them."
+        [Manual test]
+        Follow the documentation and create namespaces for objects in your deployment as you need them.
       scored: false
 
     - id: 1.6.4
       text: "Create network segmentation using Network Policies (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+      remediation: |
+        [Manual test]
+        Follow the documentation and create NetworkPolicy objects as you need them.
       scored: false
 
     - id: 1.6.5
       text: "Avoid using Kubernetes Secrets (Not Scored)"
       type: "manual"
-      remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
+      remediation: |
+        [Manual test]
+        Use other mechanisms such as vaults to manage your cluster secrets.
       scored: false
 
 
     - id: 1.6.6
       text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
       type: "manual"
-      remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+      remediation: |
-              would need to enable alpha features in the apiserver by passing \"--feature-
+        [Manual test]
-              gates=AllAlpha=true\" argument.\n
+        Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+        would need to enable alpha features in the apiserver by passing "--feature-
+        gates=AllAlpha=true" argument.
         Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
-              parameter to \"--feature-gates=AllAlpha=true\"
+        parameter to "--feature-gates=AllAlpha=true"
-              KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+        KUBE_API_ARGS="--feature-gates=AllAlpha=true"
       scored: false
 
     - id: 1.6.7
       text: "Apply Security Context to Your Pods and Containers (Not Scored)"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
+      remediation: |
+        [Manual test]
+        Follow the Kubernetes documentation and apply security contexts to your pods. For a
         suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
-              Containers."
+        Containers.
       scored: false
 
     - id: 1.6.8
       text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and setup image provenance."
+      remediation: |
+        [Manual test]
+        Follow the Kubernetes documentation and setup image provenance.
       scored: false

cfg/1.7/master.yaml

@@ -484,8 +484,10 @@ groups:
       text: "Ensure that the encryption provider is set to aescbc (Scored)"
       audit: "ps -ef | grep $apiserverbin | grep -v grep"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
+      remediation: |
-              choose aescbc as the encryption provider"
+        [Manual test]
+        Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
+        choose aescbc as the encryption provider
       scored: true
 
 - id: 1.2
@@ -572,9 +574,11 @@ groups:
     - id: 1.3.6
       text: "Apply Security Context to Your Pods and Containers (Not Scored)"
       type: "manual"
-      remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
+      remediation: |
+        [Manual test]
+        Edit the /etc/kubernetes/controller-manager file on the master node and set the
         KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include 
-              \"--feature-gates=RotateKubeletServerCertificate=true\""
+        "--feature-gates=RotateKubeletServerCertificate=true"
       scored: false
 
     - id: 1.3.7
@@ -971,58 +975,73 @@ groups:
     - id: 1.6.1
       text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
       type: "manual"
-      remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+      remediation: |
+        [Manual test]
+        Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
       scored: false
 
     - id: 1.6.2
       text: "Create Pod Security Policies for your cluster (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
+      remediation: |
-              Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
+        [Manual test]
-              suggested Pod Security Policies for your environment."
+        Follow the documentation and create and enforce Pod Security Policies for your cluster.
+        Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
+        suggested Pod Security Policies for your environment.
       scored: false
 
     - id: 1.6.3
       text: "Create administrative boundaries between resources using namespaces (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create namespaces for objects in your deployment as you
+      remediation: |
-              need them."
+        [Manual test]
+        Follow the documentation and create namespaces for objects in your deployment as you need them.
       scored: false
 
     - id: 1.6.4
       text: "Create network segmentation using Network Policies (Not Scored)"
       type: "manual"
-      remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+      remediation: |
+        [Manual test]
+        Follow the documentation and create NetworkPolicy objects as you need them.
       scored: false
 
     - id: 1.6.5
       text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
       type: "manual"
-      remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+      remediation: |
-              would need to enable alpha features in the apiserver by passing \"--feature-
+        [Manual test]
-              gates=AllAlpha=true\" argument.\n
+        Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+        would need to enable alpha features in the apiserver by passing "--feature-
+        gates=AllAlpha=true" argument.
         Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
-              parameter to \"--feature-gates=AllAlpha=true\"
+        parameter to "--feature-gates=AllAlpha=true"
-              KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+        KUBE_API_ARGS="--feature-gates=AllAlpha=true"
       scored: false
 
     - id: 1.6.6
       text: "Apply Security Context to Your Pods and Containers (Not Scored)"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
+      remediation: |
+        [Manual test]
+        Follow the Kubernetes documentation and apply security contexts to your pods. For a
         suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
-              Containers."
+        Containers.
       scored: false
 
     - id: 1.6.7
       text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and setup image provenance."
+      remediation: |
+        [Manual test]
+        Follow the Kubernetes documentation and setup image provenance.
       scored: false
 
     - id: 1.6.8
       text: "Configure Network policies as appropriate (Not Scored)"
       type: "manual"
-      remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
+      remediation: |
+        [Manual test]
+        Follow the Kubernetes documentation and setup network policies as appropriate.
       scored: false
 

cfg/1.8/master.yaml

@@ -559,6 +559,7 @@ groups:
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
       choose aescbc as the encryption provider.
       For example,
@@ -597,6 +598,7 @@ groups:
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and set the desired audit policy in the
       /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
       and set the below parameters.
@@ -608,6 +610,7 @@ groups:
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     type: "manual"
     remediation: |
+      [Manual test]
       Edit the API server pod specification file $apiserverconf
       and set the below parameter as appropriate and if needed. For example,
       --request-timeout=300s
@@ -713,6 +716,7 @@ groups:
     text: "Apply Security Context to Your Pods and Containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and apply security contexts to your pods. For a
       suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
       Containers.
@@ -922,8 +926,9 @@ groups:
     text: "Ensure that the Container Network Interface file permissions are
     set to 644 or more restrictive (Not Scored)"
     audit: "stat -c %a <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chmod 644 <path/to/cni/files>
@@ -933,8 +938,9 @@ groups:
     text: "Ensure that the Container Network Interface file ownership is set
     to root:root (Not Scored)"
     audit: "stat -c %U:%G <path/to/cni/files>"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       Run the below command (based on the file location on your system) on the master node.
       For example,
       chown root:root <path/to/cni/files>
@@ -1263,6 +1269,7 @@ groups:
     text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Remove any unneeded clusterrolebindings :
       kubectl delete clusterrolebinding [name]
     scored: false
@@ -1271,6 +1278,7 @@ groups:
     text: "Create Pod Security Policies for your cluster (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create and enforce Pod Security Policies for your cluster.
       Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
       suggested Pod Security Policies for your environment.
@@ -1280,6 +1288,7 @@ groups:
     text: "Create administrative boundaries between resources using namespaces (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create namespaces for objects in your deployment as you
       need them.
     scored: false
@@ -1288,6 +1297,7 @@ groups:
     text: "Create network segmentation using Network Policies (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the documentation and create NetworkPolicy objects as you need them.
     scored: false
 
@@ -1296,6 +1306,7 @@ groups:
     definitions (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
       would need to enable alpha features in the apiserver by passing "--feature-
       gates=AllAlpha=true" argument.
@@ -1322,6 +1333,7 @@ groups:
     text: "Apply Security Context to Your Pods and Containers (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and apply security contexts to your pods. For a
       suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
       Containers.
@@ -1331,6 +1343,7 @@ groups:
     text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup image provenance.
     scored: false
 
@@ -1338,6 +1351,7 @@ groups:
     text: "Configure Network policies as appropriate (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow the Kubernetes documentation and setup network policies as appropriate.
       For example, you could create a "default" isolation policy for a Namespace by creating a
       NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1354,5 +1368,6 @@ groups:
     privileged containers usage (Not Scored)"
     type: "manual"
     remediation: |
+      [Manual test]
       Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
     scored: false

cfg/1.8/node.yaml

@@ -423,8 +423,9 @@ groups:
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
       644 or more restrictive (Scored)"
-      type: manual
+      type: "manual"
       remediation: |
+        [Manual test]
         Run the following command to modify the file permissions of the --client-ca-file
         chmod 644 <filename>
       scored: true

cfg/ocp-3.10/master.yaml

@@ -410,7 +410,7 @@ groups:
 
   - id: 1.23
     text: "Verify that the service account lookup flag is not set"
-    type: skip
+    type: "skip"
     scored: true
 
   - id: 1.24
@@ -675,8 +675,9 @@ groups:
   - id: 1.37
     text: "Adjust the request timeout argument for your cluster resources"
     audit: "grep request-timeout /etc/origin/master/master-config.yaml"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       change the request-timeout value in the  /etc/origin/master/master-config.yaml
     scored: true
 
@@ -1313,6 +1314,7 @@ groups:
     text: "Ensure that the cluster-admin role is only used where required"
     type: "manual"
     remediation: |
+      [Manual test]
       Review users, groups, serviceaccounts bound to cluster-admin:
       oc get clusterrolebindings | grep cluster-admin
 
@@ -1324,6 +1326,7 @@ groups:
     text: "Verify Security Context Constraints as in use"
     type: "manual"
     remediation: |
+      [Manual test]
       Review Security Context Constraints:
       oc get scc
 
@@ -1341,6 +1344,7 @@ groups:
     text: "Use OpenShift projects to maintain boundaries between resources"
     type: "manual"
     remediation: |
+      [Manual test]
       Review projects:
       oc get projects
     scored: false
@@ -1349,6 +1353,7 @@ groups:
     text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
     type: "manual"
     remediation: |
+      [Manual test]
       Verify on masters the plugin being used:
       grep networkPluginName /etc/origin/master/master-config.yaml
 
@@ -1372,6 +1377,7 @@ groups:
     text: "Enable seccomp and configure custom Security Context Constraints"
     type: "manual"
     remediation: |
+      [Manual test]
       Verify SCCs that have been configured with seccomp:
       oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
 
@@ -1386,6 +1392,7 @@ groups:
     text: "Review Security Context Constraints"
     type: "manual"
     remediation: |
+      [Manual test]
       Review SCCs:
       oc describe scc
 
@@ -1410,6 +1417,7 @@ groups:
     text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
     type: "manual"
     remediation: |
+      [Manual test]
       Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
     scored: false
 
@@ -1417,6 +1425,7 @@ groups:
     text: "Configure Network policies as appropriate"
     type: "manual"
     remediation: |
+      [Manual test]
       If ovs-networkplugin is used, review network policies:
       oc get networkpolicies
 
@@ -1429,6 +1438,7 @@ groups:
     text: "Use Security Context Constraints as compensating controls for privileged containers"
     type: "manual"
     remediation: |
+      [Manual test]
       1) Determine all sccs allowing privileged containers:
          oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
       2) Review users and groups assigned to sccs allowing priviliged containers:

cfg/ocp-3.11/master.yaml

@@ -410,7 +410,7 @@ groups:
 
   - id: 1.23
     text: "Verify that the service account lookup flag is not set"
-    type: skip
+    type: "skip"
     scored: true
 
   - id: 1.24
@@ -675,8 +675,9 @@ groups:
   - id: 1.37
     text: "Adjust the request timeout argument for your cluster resources"
     audit: "grep request-timeout /etc/origin/master/master-config.yaml"
-    type: manual
+    type: "manual"
     remediation: |
+      [Manual test]
       change the request-timeout value in the  /etc/origin/master/master-config.yaml
     scored: true
 
@@ -1313,6 +1314,7 @@ groups:
     text: "Ensure that the cluster-admin role is only used where required"
     type: "manual"
     remediation: |
+      [Manual test]
       Review users, groups, serviceaccounts bound to cluster-admin:
       oc get clusterrolebindings | grep cluster-admin
 
@@ -1324,6 +1326,7 @@ groups:
     text: "Verify Security Context Constraints as in use"
     type: "manual"
     remediation: |
+      [Manual test]
       Review Security Context Constraints:
       oc get scc
 
@@ -1341,6 +1344,7 @@ groups:
     text: "Use OpenShift projects to maintain boundaries between resources"
     type: "manual"
     remediation: |
+      [Manual test]
       Review projects:
       oc get projects
     scored: false
@@ -1349,6 +1353,7 @@ groups:
     text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
     type: "manual"
     remediation: |
+      [Manual test]
       Verify on masters the plugin being used:
       grep networkPluginName /etc/origin/master/master-config.yaml
 
@@ -1372,6 +1377,7 @@ groups:
     text: "Enable seccomp and configure custom Security Context Constraints"
     type: "manual"
     remediation: |
+      [Manual test]
       Verify SCCs that have been configured with seccomp:
       oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
 
@@ -1386,6 +1392,7 @@ groups:
     text: "Review Security Context Constraints"
     type: "manual"
     remediation: |
+      [Manual test]
       Review SCCs:
       oc describe scc
 
@@ -1410,6 +1417,7 @@ groups:
     text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
     type: "manual"
     remediation: |
+      [Manual test]
       Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
     scored: false
 
@@ -1417,6 +1425,7 @@ groups:
     text: "Configure Network policies as appropriate"
     type: "manual"
     remediation: |
+      [Manual test]
       If ovs-networkplugin is used, review network policies:
       oc get networkpolicies
 
@@ -1429,6 +1438,7 @@ groups:
     text: "Use Security Context Constraints as compensating controls for privileged containers"
     type: "manual"
     remediation: |
+      [Manual test]
       1) Determine all sccs allowing privileged containers:
          oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
       2) Review users and groups assigned to sccs allowing priviliged containers: