1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-29 18:08:08 +00:00

Add [Manual test] to remediation in all the manual tests (#435)

This commit is contained in:
yoavrotems 2019-10-09 15:26:02 +00:00 committed by Liz Rice
parent 37f626dce6
commit 89afda1f63
12 changed files with 175 additions and 59 deletions

View File

@ -462,8 +462,9 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>
scored: true scored: true

View File

@ -579,6 +579,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider. choose aescbc as the encryption provider.
For example, For example,
@ -1001,8 +1002,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)" set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>" audit: "stat -c %a <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 <path/to/cni/files> chmod 644 <path/to/cni/files>
@ -1012,8 +1014,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)" to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>" audit: "stat -c %U:%G <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root <path/to/cni/files> chown root:root <path/to/cni/files>
@ -1297,6 +1300,7 @@ groups:
- flag: "--trusted-ca-file" - flag: "--trusted-ca-file"
set: true set: true
remediation: | remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service. etcd service.
Then, edit the etcd pod specification file $etcdconf on the Then, edit the etcd pod specification file $etcdconf on the
@ -1311,6 +1315,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Remove any unneeded clusterrolebindings : Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name] kubectl delete clusterrolebinding [name]
scored: false scored: false
@ -1319,6 +1324,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you Follow the documentation and create namespaces for objects in your deployment as you
need them. need them.
scored: false scored: false
@ -1327,6 +1333,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)" text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
@ -1335,6 +1342,7 @@ groups:
definitions (Not Scored)" definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature- would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument. gates=AllAlpha=true" argument.
@ -1361,6 +1369,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
@ -1370,6 +1379,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
@ -1377,6 +1387,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)" text: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate. Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic: NetworkPolicy that selects all pods but does not allow any traffic:
@ -1393,6 +1404,7 @@ groups:
privileged containers usage (Not Scored)" privileged containers usage (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false scored: false
@ -1403,6 +1415,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)" text: "Do not admit privileged containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false scored: false
@ -1410,6 +1423,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false scored: false
@ -1417,6 +1431,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false scored: false
@ -1424,6 +1439,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)" text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false scored: false
@ -1431,6 +1447,7 @@ groups:
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)" text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false scored: false
@ -1438,6 +1455,7 @@ groups:
text: "Do not admit root containers (Not Scored)" text: "Do not admit root containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false scored: false
@ -1445,5 +1463,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)" text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false scored: false

View File

@ -451,8 +451,9 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>
scored: true scored: true

View File

@ -231,7 +231,7 @@ groups:
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
type: skip type: "skip"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -444,8 +444,9 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>
scored: true scored: true

View File

@ -188,7 +188,7 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)" text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: skip type: "skip"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -571,6 +571,7 @@ groups:
- flag: "--encryption-provider-config" - flag: "--encryption-provider-config"
set: true set: true
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf on the Then, edit the API server pod specification file $apiserverconf on the
master node and set the --encryption-provider-config parameter master node and set the --encryption-provider-config parameter
@ -583,6 +584,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider. choose aescbc as the encryption provider.
For example, For example,
@ -1003,8 +1005,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)" set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>" audit: "stat -c %a <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 <path/to/cni/files> chmod 644 <path/to/cni/files>
@ -1014,8 +1017,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)" to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>" audit: "stat -c %U:%G <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root <path/to/cni/files> chown root:root <path/to/cni/files>
@ -1194,6 +1198,7 @@ groups:
value: "root root" value: "root root"
set: true set: true
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/ For example, chown -R root:root /etc/kubernetes/pki/
scored: true scored: true
@ -1221,6 +1226,7 @@ groups:
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true scored: true
@ -1237,6 +1243,7 @@ groups:
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored: true scored: true
@ -1358,6 +1365,7 @@ groups:
- flag: "--trusted-ca-file" - flag: "--trusted-ca-file"
set: true set: true
remediation: | remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service. etcd service.
Then, edit the etcd pod specification file $etcdconf on the Then, edit the etcd pod specification file $etcdconf on the
@ -1372,6 +1380,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Remove any unneeded clusterrolebindings : Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name] kubectl delete clusterrolebinding [name]
scored: false scored: false
@ -1380,6 +1389,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you Follow the documentation and create namespaces for objects in your deployment as you
need them. need them.
scored: false scored: false
@ -1388,6 +1398,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)" text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
@ -1396,6 +1407,7 @@ groups:
definitions (Not Scored)" definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature- would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument. gates=AllAlpha=true" argument.
@ -1422,6 +1434,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
@ -1431,6 +1444,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
@ -1438,6 +1452,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)" text: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate. Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic: NetworkPolicy that selects all pods but does not allow any traffic:
@ -1454,6 +1469,7 @@ groups:
privileged containers usage (Not Scored)" privileged containers usage (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false scored: false
@ -1464,6 +1480,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)" text: "Do not admit privileged containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false scored: false
@ -1471,6 +1488,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false scored: false
@ -1478,6 +1496,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false scored: false
@ -1485,6 +1504,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)" text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false scored: false
@ -1492,6 +1512,7 @@ groups:
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)" text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false scored: false
@ -1499,6 +1520,7 @@ groups:
text: "Do not admit root containers (Not Scored)" text: "Do not admit root containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false scored: false
@ -1506,5 +1528,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)" text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL. Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false scored: false

View File

@ -225,7 +225,7 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)" text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
type: skip type: "skip"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -433,8 +433,9 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>
scored: true scored: true

View File

@ -909,58 +909,73 @@ groups:
- id: 1.6.1 - id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" remediation: |
[Manual test]
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false scored: false
- id: 1.6.2 - id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)" text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. remediation: |
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the [Manual test]
suggested Pod Security Policies for your environment." Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
scored: false scored: false
- id: 1.6.3 - id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you remediation: |
need them." [Manual test]
Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false scored: false
- id: 1.6.4 - id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)" text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them." remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
- id: 1.6.5 - id: 1.6.5
text: "Avoid using Kubernetes Secrets (Not Scored)" text: "Avoid using Kubernetes Secrets (Not Scored)"
type: "manual" type: "manual"
remediation: "Use other mechanisms such as vaults to manage your cluster secrets." remediation: |
[Manual test]
Use other mechanisms such as vaults to manage your cluster secrets.
scored: false scored: false
- id: 1.6.6 - id: 1.6.6
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you remediation: |
would need to enable alpha features in the apiserver by passing \"--feature- [Manual test]
gates=AllAlpha=true\" argument.\n Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS would need to enable alpha features in the apiserver by passing "--feature-
parameter to \"--feature-gates=AllAlpha=true\" gates=AllAlpha=true" argument.
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false scored: false
- id: 1.6.7 - id: 1.6.7
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a remediation: |
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker [Manual test]
Containers." Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false scored: false
- id: 1.6.8 - id: 1.6.8
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance." remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false

View File

@ -484,8 +484,10 @@ groups:
text: "Ensure that the encryption provider is set to aescbc (Scored)" text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, remediation: |
choose aescbc as the encryption provider" [Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider
scored: true scored: true
- id: 1.2 - id: 1.2
@ -572,9 +574,11 @@ groups:
- id: 1.3.6 - id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the remediation: |
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include [Manual test]
\"--feature-gates=RotateKubeletServerCertificate=true\"" Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
"--feature-gates=RotateKubeletServerCertificate=true"
scored: false scored: false
- id: 1.3.7 - id: 1.3.7
@ -971,58 +975,73 @@ groups:
- id: 1.6.1 - id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]" remediation: |
[Manual test]
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false scored: false
- id: 1.6.2 - id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)" text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster. remediation: |
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the [Manual test]
suggested Pod Security Policies for your environment." Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
scored: false scored: false
- id: 1.6.3 - id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you remediation: |
need them." [Manual test]
Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false scored: false
- id: 1.6.4 - id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)" text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them." remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
- id: 1.6.5 - id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you remediation: |
would need to enable alpha features in the apiserver by passing \"--feature- [Manual test]
gates=AllAlpha=true\" argument.\n Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS would need to enable alpha features in the apiserver by passing "--feature-
parameter to \"--feature-gates=AllAlpha=true\" gates=AllAlpha=true" argument.
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\"" Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false scored: false
- id: 1.6.6 - id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a remediation: |
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker [Manual test]
Containers." Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false scored: false
- id: 1.6.7 - id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance." remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
- id: 1.6.8 - id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)" text: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate." remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
scored: false scored: false

View File

@ -559,6 +559,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider. choose aescbc as the encryption provider.
For example, For example,
@ -597,6 +598,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and set the desired audit policy in the Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
and set the below parameters. and set the below parameters.
@ -608,6 +610,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Edit the API server pod specification file $apiserverconf Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed. For example, and set the below parameter as appropriate and if needed. For example,
--request-timeout=300s --request-timeout=300s
@ -713,6 +716,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
@ -922,8 +926,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)" set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>" audit: "stat -c %a <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod 644 <path/to/cni/files> chmod 644 <path/to/cni/files>
@ -933,8 +938,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)" to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>" audit: "stat -c %U:%G <path/to/cni/files>"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chown root:root <path/to/cni/files> chown root:root <path/to/cni/files>
@ -1263,6 +1269,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)" text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Remove any unneeded clusterrolebindings : Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name] kubectl delete clusterrolebinding [name]
scored: false scored: false
@ -1271,6 +1278,7 @@ groups:
text: "Create Pod Security Policies for your cluster (Not Scored)" text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create and enforce Pod Security Policies for your cluster. Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment. suggested Pod Security Policies for your environment.
@ -1280,6 +1288,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create namespaces for objects in your deployment as you Follow the documentation and create namespaces for objects in your deployment as you
need them. need them.
scored: false scored: false
@ -1288,6 +1297,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)" text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
@ -1296,6 +1306,7 @@ groups:
definitions (Not Scored)" definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature- would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument. gates=AllAlpha=true" argument.
@ -1322,6 +1333,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
@ -1331,6 +1343,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
@ -1338,6 +1351,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)" text: "Configure Network policies as appropriate (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate. Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic: NetworkPolicy that selects all pods but does not allow any traffic:
@ -1354,5 +1368,6 @@ groups:
privileged containers usage (Not Scored)" privileged containers usage (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster. Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false scored: false

View File

@ -423,8 +423,9 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>
scored: true scored: true

View File

@ -410,7 +410,7 @@ groups:
- id: 1.23 - id: 1.23
text: "Verify that the service account lookup flag is not set" text: "Verify that the service account lookup flag is not set"
type: skip type: "skip"
scored: true scored: true
- id: 1.24 - id: 1.24
@ -675,8 +675,9 @@ groups:
- id: 1.37 - id: 1.37
text: "Adjust the request timeout argument for your cluster resources" text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml" audit: "grep request-timeout /etc/origin/master/master-config.yaml"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true scored: true
@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required" text: "Ensure that the cluster-admin role is only used where required"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review users, groups, serviceaccounts bound to cluster-admin: Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin oc get clusterrolebindings | grep cluster-admin
@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use" text: "Verify Security Context Constraints as in use"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review Security Context Constraints: Review Security Context Constraints:
oc get scc oc get scc
@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources" text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review projects: Review projects:
oc get projects oc get projects
scored: false scored: false
@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies" text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Verify on masters the plugin being used: Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml grep networkPluginName /etc/origin/master/master-config.yaml
@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints" text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Verify SCCs that have been configured with seccomp: Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints" text: "Review Security Context Constraints"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review SCCs: Review SCCs:
oc describe scc oc describe scc
@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller" text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml. Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false scored: false
@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate" text: "Configure Network policies as appropriate"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
If ovs-networkplugin is used, review network policies: If ovs-networkplugin is used, review network policies:
oc get networkpolicies oc get networkpolicies
@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers" text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
1) Determine all sccs allowing privileged containers: 1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers: 2) Review users and groups assigned to sccs allowing priviliged containers:

View File

@ -410,7 +410,7 @@ groups:
- id: 1.23 - id: 1.23
text: "Verify that the service account lookup flag is not set" text: "Verify that the service account lookup flag is not set"
type: skip type: "skip"
scored: true scored: true
- id: 1.24 - id: 1.24
@ -675,8 +675,9 @@ groups:
- id: 1.37 - id: 1.37
text: "Adjust the request timeout argument for your cluster resources" text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml" audit: "grep request-timeout /etc/origin/master/master-config.yaml"
type: manual type: "manual"
remediation: | remediation: |
[Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true scored: true
@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required" text: "Ensure that the cluster-admin role is only used where required"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review users, groups, serviceaccounts bound to cluster-admin: Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin oc get clusterrolebindings | grep cluster-admin
@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use" text: "Verify Security Context Constraints as in use"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review Security Context Constraints: Review Security Context Constraints:
oc get scc oc get scc
@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources" text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review projects: Review projects:
oc get projects oc get projects
scored: false scored: false
@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies" text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Verify on masters the plugin being used: Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml grep networkPluginName /etc/origin/master/master-config.yaml
@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints" text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Verify SCCs that have been configured with seccomp: Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints" text: "Review Security Context Constraints"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review SCCs: Review SCCs:
oc describe scc oc describe scc
@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller" text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml. Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false scored: false
@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate" text: "Configure Network policies as appropriate"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
If ovs-networkplugin is used, review network policies: If ovs-networkplugin is used, review network policies:
oc get networkpolicies oc get networkpolicies
@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers" text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test]
1) Determine all sccs allowing privileged containers: 1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers: 2) Review users and groups assigned to sccs allowing priviliged containers: