mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
Add [Manual test] to remediation in all the manual tests (#435)
This commit is contained in:
parent
37f626dce6
commit
89afda1f63
@ -462,8 +462,9 @@ groups:
|
|||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -579,6 +579,7 @@ groups:
|
|||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||||
choose aescbc as the encryption provider.
|
choose aescbc as the encryption provider.
|
||||||
For example,
|
For example,
|
||||||
@ -1001,8 +1002,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file permissions are
|
text: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c %a <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 <path/to/cni/files>
|
chmod 644 <path/to/cni/files>
|
||||||
@ -1012,8 +1014,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file ownership is set
|
text: "Ensure that the Container Network Interface file ownership is set
|
||||||
to root:root (Not Scored)"
|
to root:root (Not Scored)"
|
||||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root <path/to/cni/files>
|
chown root:root <path/to/cni/files>
|
||||||
@ -1297,6 +1300,7 @@ groups:
|
|||||||
- flag: "--trusted-ca-file"
|
- flag: "--trusted-ca-file"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||||
etcd service.
|
etcd service.
|
||||||
Then, edit the etcd pod specification file $etcdconf on the
|
Then, edit the etcd pod specification file $etcdconf on the
|
||||||
@ -1311,6 +1315,7 @@ groups:
|
|||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Remove any unneeded clusterrolebindings :
|
Remove any unneeded clusterrolebindings :
|
||||||
kubectl delete clusterrolebinding [name]
|
kubectl delete clusterrolebinding [name]
|
||||||
scored: false
|
scored: false
|
||||||
@ -1319,6 +1324,7 @@ groups:
|
|||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create namespaces for objects in your deployment as you
|
Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
need them.
|
need them.
|
||||||
scored: false
|
scored: false
|
||||||
@ -1327,6 +1333,7 @@ groups:
|
|||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1335,6 +1342,7 @@ groups:
|
|||||||
definitions (Not Scored)"
|
definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing "--feature-
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
gates=AllAlpha=true" argument.
|
gates=AllAlpha=true" argument.
|
||||||
@ -1361,6 +1369,7 @@ groups:
|
|||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
Containers.
|
Containers.
|
||||||
@ -1370,6 +1379,7 @@ groups:
|
|||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup image provenance.
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1377,6 +1387,7 @@ groups:
|
|||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
text: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||||
@ -1393,6 +1404,7 @@ groups:
|
|||||||
privileged containers usage (Not Scored)"
|
privileged containers usage (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1403,6 +1415,7 @@ groups:
|
|||||||
text: "Do not admit privileged containers (Not Scored)"
|
text: "Do not admit privileged containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1410,6 +1423,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1417,6 +1431,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1424,6 +1439,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1431,6 +1447,7 @@ groups:
|
|||||||
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1438,6 +1455,7 @@ groups:
|
|||||||
text: "Do not admit root containers (Not Scored)"
|
text: "Do not admit root containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1445,5 +1463,6 @@ groups:
|
|||||||
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -451,8 +451,9 @@ groups:
|
|||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -231,7 +231,7 @@ groups:
|
|||||||
# To check if the property is set as expected, we need to parse the kubelet command
|
# To check if the property is set as expected, we need to parse the kubelet command
|
||||||
# instead reading the Kubelet Configuration file.
|
# instead reading the Kubelet Configuration file.
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
type: skip
|
type: "skip"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -444,8 +444,9 @@ groups:
|
|||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -188,7 +188,7 @@ groups:
|
|||||||
- id: 1.1.12
|
- id: 1.1.12
|
||||||
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
|
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: skip
|
type: "skip"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--enable-admission-plugins"
|
- flag: "--enable-admission-plugins"
|
||||||
@ -571,6 +571,7 @@ groups:
|
|||||||
- flag: "--encryption-provider-config"
|
- flag: "--encryption-provider-config"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
||||||
Then, edit the API server pod specification file $apiserverconf on the
|
Then, edit the API server pod specification file $apiserverconf on the
|
||||||
master node and set the --encryption-provider-config parameter
|
master node and set the --encryption-provider-config parameter
|
||||||
@ -583,6 +584,7 @@ groups:
|
|||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||||
choose aescbc as the encryption provider.
|
choose aescbc as the encryption provider.
|
||||||
For example,
|
For example,
|
||||||
@ -1003,8 +1005,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file permissions are
|
text: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c %a <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 <path/to/cni/files>
|
chmod 644 <path/to/cni/files>
|
||||||
@ -1014,8 +1017,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file ownership is set
|
text: "Ensure that the Container Network Interface file ownership is set
|
||||||
to root:root (Not Scored)"
|
to root:root (Not Scored)"
|
||||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root <path/to/cni/files>
|
chown root:root <path/to/cni/files>
|
||||||
@ -1194,6 +1198,7 @@ groups:
|
|||||||
value: "root root"
|
value: "root root"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example, chown -R root:root /etc/kubernetes/pki/
|
For example, chown -R root:root /etc/kubernetes/pki/
|
||||||
scored: true
|
scored: true
|
||||||
@ -1221,6 +1226,7 @@ groups:
|
|||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||||
scored: true
|
scored: true
|
||||||
@ -1237,6 +1243,7 @@ groups:
|
|||||||
value: "600"
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||||
scored: true
|
scored: true
|
||||||
@ -1358,6 +1365,7 @@ groups:
|
|||||||
- flag: "--trusted-ca-file"
|
- flag: "--trusted-ca-file"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||||
etcd service.
|
etcd service.
|
||||||
Then, edit the etcd pod specification file $etcdconf on the
|
Then, edit the etcd pod specification file $etcdconf on the
|
||||||
@ -1372,6 +1380,7 @@ groups:
|
|||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Remove any unneeded clusterrolebindings :
|
Remove any unneeded clusterrolebindings :
|
||||||
kubectl delete clusterrolebinding [name]
|
kubectl delete clusterrolebinding [name]
|
||||||
scored: false
|
scored: false
|
||||||
@ -1380,6 +1389,7 @@ groups:
|
|||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create namespaces for objects in your deployment as you
|
Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
need them.
|
need them.
|
||||||
scored: false
|
scored: false
|
||||||
@ -1388,6 +1398,7 @@ groups:
|
|||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1396,6 +1407,7 @@ groups:
|
|||||||
definitions (Not Scored)"
|
definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing "--feature-
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
gates=AllAlpha=true" argument.
|
gates=AllAlpha=true" argument.
|
||||||
@ -1422,6 +1434,7 @@ groups:
|
|||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
Containers.
|
Containers.
|
||||||
@ -1431,6 +1444,7 @@ groups:
|
|||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup image provenance.
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1438,6 +1452,7 @@ groups:
|
|||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
text: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||||
@ -1454,6 +1469,7 @@ groups:
|
|||||||
privileged containers usage (Not Scored)"
|
privileged containers usage (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1464,6 +1480,7 @@ groups:
|
|||||||
text: "Do not admit privileged containers (Not Scored)"
|
text: "Do not admit privileged containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1471,6 +1488,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1478,6 +1496,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1485,6 +1504,7 @@ groups:
|
|||||||
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1492,6 +1512,7 @@ groups:
|
|||||||
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1499,6 +1520,7 @@ groups:
|
|||||||
text: "Do not admit root containers (Not Scored)"
|
text: "Do not admit root containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1506,5 +1528,6 @@ groups:
|
|||||||
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -225,7 +225,7 @@ groups:
|
|||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
|
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
type: skip
|
type: "skip"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -433,8 +433,9 @@ groups:
|
|||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -909,58 +909,73 @@ groups:
|
|||||||
- id: 1.6.1
|
- id: 1.6.1
|
||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.2
|
- id: 1.6.2
|
||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
remediation: |
|
||||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
[Manual test]
|
||||||
suggested Pod Security Policies for your environment."
|
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
|
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||||
|
suggested Pod Security Policies for your environment.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.3
|
- id: 1.6.3
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
remediation: |
|
||||||
need them."
|
[Manual test]
|
||||||
|
Follow the documentation and create namespaces for objects in your deployment as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.4
|
- id: 1.6.4
|
||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.5
|
- id: 1.6.5
|
||||||
text: "Avoid using Kubernetes Secrets (Not Scored)"
|
text: "Avoid using Kubernetes Secrets (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Use other mechanisms such as vaults to manage your cluster secrets.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 1.6.6
|
- id: 1.6.6
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
remediation: |
|
||||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
[Manual test]
|
||||||
gates=AllAlpha=true\" argument.\n
|
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
parameter to \"--feature-gates=AllAlpha=true\"
|
gates=AllAlpha=true" argument.
|
||||||
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
|
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||||
|
parameter to "--feature-gates=AllAlpha=true"
|
||||||
|
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.7
|
- id: 1.6.7
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
remediation: |
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
[Manual test]
|
||||||
Containers."
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
|
Containers.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.8
|
- id: 1.6.8
|
||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -484,8 +484,10 @@ groups:
|
|||||||
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
remediation: |
|
||||||
choose aescbc as the encryption provider"
|
[Manual test]
|
||||||
|
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||||
|
choose aescbc as the encryption provider
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2
|
- id: 1.2
|
||||||
@ -572,9 +574,11 @@ groups:
|
|||||||
- id: 1.3.6
|
- id: 1.3.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
remediation: |
|
||||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
[Manual test]
|
||||||
\"--feature-gates=RotateKubeletServerCertificate=true\""
|
Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
||||||
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
||||||
|
"--feature-gates=RotateKubeletServerCertificate=true"
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.3.7
|
- id: 1.3.7
|
||||||
@ -971,58 +975,73 @@ groups:
|
|||||||
- id: 1.6.1
|
- id: 1.6.1
|
||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.2
|
- id: 1.6.2
|
||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
remediation: |
|
||||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
[Manual test]
|
||||||
suggested Pod Security Policies for your environment."
|
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
|
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||||
|
suggested Pod Security Policies for your environment.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.3
|
- id: 1.6.3
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
remediation: |
|
||||||
need them."
|
[Manual test]
|
||||||
|
Follow the documentation and create namespaces for objects in your deployment as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.4
|
- id: 1.6.4
|
||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.5
|
- id: 1.6.5
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
remediation: |
|
||||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
[Manual test]
|
||||||
gates=AllAlpha=true\" argument.\n
|
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
parameter to \"--feature-gates=AllAlpha=true\"
|
gates=AllAlpha=true" argument.
|
||||||
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
|
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||||
|
parameter to "--feature-gates=AllAlpha=true"
|
||||||
|
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.6
|
- id: 1.6.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
remediation: |
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
[Manual test]
|
||||||
Containers."
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
|
Containers.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.7
|
- id: 1.6.7
|
||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.8
|
- id: 1.6.8
|
||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
text: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
|
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
@ -559,6 +559,7 @@ groups:
|
|||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||||
choose aescbc as the encryption provider.
|
choose aescbc as the encryption provider.
|
||||||
For example,
|
For example,
|
||||||
@ -597,6 +598,7 @@ groups:
|
|||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and set the desired audit policy in the
|
Follow the Kubernetes documentation and set the desired audit policy in the
|
||||||
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
|
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
|
||||||
and set the below parameters.
|
and set the below parameters.
|
||||||
@ -608,6 +610,7 @@ groups:
|
|||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Edit the API server pod specification file $apiserverconf
|
Edit the API server pod specification file $apiserverconf
|
||||||
and set the below parameter as appropriate and if needed. For example,
|
and set the below parameter as appropriate and if needed. For example,
|
||||||
--request-timeout=300s
|
--request-timeout=300s
|
||||||
@ -713,6 +716,7 @@ groups:
|
|||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
Containers.
|
Containers.
|
||||||
@ -922,8 +926,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file permissions are
|
text: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c %a <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chmod 644 <path/to/cni/files>
|
chmod 644 <path/to/cni/files>
|
||||||
@ -933,8 +938,9 @@ groups:
|
|||||||
text: "Ensure that the Container Network Interface file ownership is set
|
text: "Ensure that the Container Network Interface file ownership is set
|
||||||
to root:root (Not Scored)"
|
to root:root (Not Scored)"
|
||||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the below command (based on the file location on your system) on the master node.
|
Run the below command (based on the file location on your system) on the master node.
|
||||||
For example,
|
For example,
|
||||||
chown root:root <path/to/cni/files>
|
chown root:root <path/to/cni/files>
|
||||||
@ -1263,6 +1269,7 @@ groups:
|
|||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Remove any unneeded clusterrolebindings :
|
Remove any unneeded clusterrolebindings :
|
||||||
kubectl delete clusterrolebinding [name]
|
kubectl delete clusterrolebinding [name]
|
||||||
scored: false
|
scored: false
|
||||||
@ -1271,6 +1278,7 @@ groups:
|
|||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||||
suggested Pod Security Policies for your environment.
|
suggested Pod Security Policies for your environment.
|
||||||
@ -1280,6 +1288,7 @@ groups:
|
|||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create namespaces for objects in your deployment as you
|
Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
need them.
|
need them.
|
||||||
scored: false
|
scored: false
|
||||||
@ -1288,6 +1297,7 @@ groups:
|
|||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1296,6 +1306,7 @@ groups:
|
|||||||
definitions (Not Scored)"
|
definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing "--feature-
|
would need to enable alpha features in the apiserver by passing "--feature-
|
||||||
gates=AllAlpha=true" argument.
|
gates=AllAlpha=true" argument.
|
||||||
@ -1322,6 +1333,7 @@ groups:
|
|||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
Containers.
|
Containers.
|
||||||
@ -1331,6 +1343,7 @@ groups:
|
|||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup image provenance.
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1338,6 +1351,7 @@ groups:
|
|||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
text: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||||
@ -1354,5 +1368,6 @@ groups:
|
|||||||
privileged containers usage (Not Scored)"
|
privileged containers usage (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -423,8 +423,9 @@ groups:
|
|||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
text: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Run the following command to modify the file permissions of the --client-ca-file
|
Run the following command to modify the file permissions of the --client-ca-file
|
||||||
chmod 644 <filename>
|
chmod 644 <filename>
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -410,7 +410,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.23
|
- id: 1.23
|
||||||
text: "Verify that the service account lookup flag is not set"
|
text: "Verify that the service account lookup flag is not set"
|
||||||
type: skip
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.24
|
- id: 1.24
|
||||||
@ -675,8 +675,9 @@ groups:
|
|||||||
- id: 1.37
|
- id: 1.37
|
||||||
text: "Adjust the request timeout argument for your cluster resources"
|
text: "Adjust the request timeout argument for your cluster resources"
|
||||||
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -1313,6 +1314,7 @@ groups:
|
|||||||
text: "Ensure that the cluster-admin role is only used where required"
|
text: "Ensure that the cluster-admin role is only used where required"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review users, groups, serviceaccounts bound to cluster-admin:
|
Review users, groups, serviceaccounts bound to cluster-admin:
|
||||||
oc get clusterrolebindings | grep cluster-admin
|
oc get clusterrolebindings | grep cluster-admin
|
||||||
|
|
||||||
@ -1324,6 +1326,7 @@ groups:
|
|||||||
text: "Verify Security Context Constraints as in use"
|
text: "Verify Security Context Constraints as in use"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review Security Context Constraints:
|
Review Security Context Constraints:
|
||||||
oc get scc
|
oc get scc
|
||||||
|
|
||||||
@ -1341,6 +1344,7 @@ groups:
|
|||||||
text: "Use OpenShift projects to maintain boundaries between resources"
|
text: "Use OpenShift projects to maintain boundaries between resources"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review projects:
|
Review projects:
|
||||||
oc get projects
|
oc get projects
|
||||||
scored: false
|
scored: false
|
||||||
@ -1349,6 +1353,7 @@ groups:
|
|||||||
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Verify on masters the plugin being used:
|
Verify on masters the plugin being used:
|
||||||
grep networkPluginName /etc/origin/master/master-config.yaml
|
grep networkPluginName /etc/origin/master/master-config.yaml
|
||||||
|
|
||||||
@ -1372,6 +1377,7 @@ groups:
|
|||||||
text: "Enable seccomp and configure custom Security Context Constraints"
|
text: "Enable seccomp and configure custom Security Context Constraints"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Verify SCCs that have been configured with seccomp:
|
Verify SCCs that have been configured with seccomp:
|
||||||
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
||||||
|
|
||||||
@ -1386,6 +1392,7 @@ groups:
|
|||||||
text: "Review Security Context Constraints"
|
text: "Review Security Context Constraints"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review SCCs:
|
Review SCCs:
|
||||||
oc describe scc
|
oc describe scc
|
||||||
|
|
||||||
@ -1410,6 +1417,7 @@ groups:
|
|||||||
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1417,6 +1425,7 @@ groups:
|
|||||||
text: "Configure Network policies as appropriate"
|
text: "Configure Network policies as appropriate"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
If ovs-networkplugin is used, review network policies:
|
If ovs-networkplugin is used, review network policies:
|
||||||
oc get networkpolicies
|
oc get networkpolicies
|
||||||
|
|
||||||
@ -1429,6 +1438,7 @@ groups:
|
|||||||
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
1) Determine all sccs allowing privileged containers:
|
1) Determine all sccs allowing privileged containers:
|
||||||
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
||||||
2) Review users and groups assigned to sccs allowing priviliged containers:
|
2) Review users and groups assigned to sccs allowing priviliged containers:
|
||||||
|
@ -410,7 +410,7 @@ groups:
|
|||||||
|
|
||||||
- id: 1.23
|
- id: 1.23
|
||||||
text: "Verify that the service account lookup flag is not set"
|
text: "Verify that the service account lookup flag is not set"
|
||||||
type: skip
|
type: "skip"
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.24
|
- id: 1.24
|
||||||
@ -675,8 +675,9 @@ groups:
|
|||||||
- id: 1.37
|
- id: 1.37
|
||||||
text: "Adjust the request timeout argument for your cluster resources"
|
text: "Adjust the request timeout argument for your cluster resources"
|
||||||
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
||||||
type: manual
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
@ -1313,6 +1314,7 @@ groups:
|
|||||||
text: "Ensure that the cluster-admin role is only used where required"
|
text: "Ensure that the cluster-admin role is only used where required"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review users, groups, serviceaccounts bound to cluster-admin:
|
Review users, groups, serviceaccounts bound to cluster-admin:
|
||||||
oc get clusterrolebindings | grep cluster-admin
|
oc get clusterrolebindings | grep cluster-admin
|
||||||
|
|
||||||
@ -1324,6 +1326,7 @@ groups:
|
|||||||
text: "Verify Security Context Constraints as in use"
|
text: "Verify Security Context Constraints as in use"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review Security Context Constraints:
|
Review Security Context Constraints:
|
||||||
oc get scc
|
oc get scc
|
||||||
|
|
||||||
@ -1341,6 +1344,7 @@ groups:
|
|||||||
text: "Use OpenShift projects to maintain boundaries between resources"
|
text: "Use OpenShift projects to maintain boundaries between resources"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review projects:
|
Review projects:
|
||||||
oc get projects
|
oc get projects
|
||||||
scored: false
|
scored: false
|
||||||
@ -1349,6 +1353,7 @@ groups:
|
|||||||
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Verify on masters the plugin being used:
|
Verify on masters the plugin being used:
|
||||||
grep networkPluginName /etc/origin/master/master-config.yaml
|
grep networkPluginName /etc/origin/master/master-config.yaml
|
||||||
|
|
||||||
@ -1372,6 +1377,7 @@ groups:
|
|||||||
text: "Enable seccomp and configure custom Security Context Constraints"
|
text: "Enable seccomp and configure custom Security Context Constraints"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Verify SCCs that have been configured with seccomp:
|
Verify SCCs that have been configured with seccomp:
|
||||||
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
||||||
|
|
||||||
@ -1386,6 +1392,7 @@ groups:
|
|||||||
text: "Review Security Context Constraints"
|
text: "Review Security Context Constraints"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review SCCs:
|
Review SCCs:
|
||||||
oc describe scc
|
oc describe scc
|
||||||
|
|
||||||
@ -1410,6 +1417,7 @@ groups:
|
|||||||
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
@ -1417,6 +1425,7 @@ groups:
|
|||||||
text: "Configure Network policies as appropriate"
|
text: "Configure Network policies as appropriate"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
If ovs-networkplugin is used, review network policies:
|
If ovs-networkplugin is used, review network policies:
|
||||||
oc get networkpolicies
|
oc get networkpolicies
|
||||||
|
|
||||||
@ -1429,6 +1438,7 @@ groups:
|
|||||||
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
[Manual test]
|
||||||
1) Determine all sccs allowing privileged containers:
|
1) Determine all sccs allowing privileged containers:
|
||||||
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
||||||
2) Review users and groups assigned to sccs allowing priviliged containers:
|
2) Review users and groups assigned to sccs allowing priviliged containers:
|
||||||
|
Loading…
Reference in New Issue
Block a user