mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
Add [Manual test] to remediation in all the manual tests (#435)
This commit is contained in:
parent
37f626dce6
commit
89afda1f63
@ -462,8 +462,9 @@ groups:
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
@ -579,6 +579,7 @@ groups:
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider.
|
||||
For example,
|
||||
@ -1001,8 +1002,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file permissions are
|
||||
set to 644 or more restrictive (Not Scored)"
|
||||
audit: "stat -c %a <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod 644 <path/to/cni/files>
|
||||
@ -1012,8 +1014,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file ownership is set
|
||||
to root:root (Not Scored)"
|
||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chown root:root <path/to/cni/files>
|
||||
@ -1297,6 +1300,7 @@ groups:
|
||||
- flag: "--trusted-ca-file"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||
etcd service.
|
||||
Then, edit the etcd pod specification file $etcdconf on the
|
||||
@ -1311,6 +1315,7 @@ groups:
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings :
|
||||
kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
@ -1319,6 +1324,7 @@ groups:
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them.
|
||||
scored: false
|
||||
@ -1327,6 +1333,7 @@ groups:
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
@ -1335,6 +1342,7 @@ groups:
|
||||
definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
@ -1361,6 +1369,7 @@ groups:
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
@ -1370,6 +1379,7 @@ groups:
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
||||
|
||||
@ -1377,6 +1387,7 @@ groups:
|
||||
text: "Configure Network policies as appropriate (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||
@ -1393,6 +1404,7 @@ groups:
|
||||
privileged containers usage (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||
scored: false
|
||||
|
||||
@ -1403,6 +1415,7 @@ groups:
|
||||
text: "Do not admit privileged containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1410,6 +1423,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1417,6 +1431,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1424,6 +1439,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1431,6 +1447,7 @@ groups:
|
||||
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1438,6 +1455,7 @@ groups:
|
||||
text: "Do not admit root containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
||||
scored: false
|
||||
|
||||
@ -1445,5 +1463,6 @@ groups:
|
||||
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||
scored: false
|
||||
|
@ -451,8 +451,9 @@ groups:
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
@ -231,7 +231,7 @@ groups:
|
||||
# To check if the property is set as expected, we need to parse the kubelet command
|
||||
# instead reading the Kubelet Configuration file.
|
||||
audit: "ps -fC $kubeletbin"
|
||||
type: skip
|
||||
type: "skip"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -444,8 +444,9 @@ groups:
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
@ -188,7 +188,7 @@ groups:
|
||||
- id: 1.1.12
|
||||
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: skip
|
||||
type: "skip"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--enable-admission-plugins"
|
||||
@ -571,6 +571,7 @@ groups:
|
||||
- flag: "--encryption-provider-config"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
||||
Then, edit the API server pod specification file $apiserverconf on the
|
||||
master node and set the --encryption-provider-config parameter
|
||||
@ -583,6 +584,7 @@ groups:
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider.
|
||||
For example,
|
||||
@ -1003,8 +1005,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file permissions are
|
||||
set to 644 or more restrictive (Not Scored)"
|
||||
audit: "stat -c %a <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod 644 <path/to/cni/files>
|
||||
@ -1014,8 +1017,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file ownership is set
|
||||
to root:root (Not Scored)"
|
||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chown root:root <path/to/cni/files>
|
||||
@ -1194,6 +1198,7 @@ groups:
|
||||
value: "root root"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
scored: true
|
||||
@ -1221,6 +1226,7 @@ groups:
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
scored: true
|
||||
@ -1237,6 +1243,7 @@ groups:
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
scored: true
|
||||
@ -1358,6 +1365,7 @@ groups:
|
||||
- flag: "--trusted-ca-file"
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||
etcd service.
|
||||
Then, edit the etcd pod specification file $etcdconf on the
|
||||
@ -1372,6 +1380,7 @@ groups:
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings :
|
||||
kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
@ -1380,6 +1389,7 @@ groups:
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them.
|
||||
scored: false
|
||||
@ -1388,6 +1398,7 @@ groups:
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
@ -1396,6 +1407,7 @@ groups:
|
||||
definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
@ -1422,6 +1434,7 @@ groups:
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
@ -1431,6 +1444,7 @@ groups:
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
||||
|
||||
@ -1438,6 +1452,7 @@ groups:
|
||||
text: "Configure Network policies as appropriate (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||
@ -1454,6 +1469,7 @@ groups:
|
||||
privileged containers usage (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||
scored: false
|
||||
|
||||
@ -1464,6 +1480,7 @@ groups:
|
||||
text: "Do not admit privileged containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1471,6 +1488,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1478,6 +1496,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1485,6 +1504,7 @@ groups:
|
||||
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1492,6 +1512,7 @@ groups:
|
||||
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
|
||||
scored: false
|
||||
|
||||
@ -1499,6 +1520,7 @@ groups:
|
||||
text: "Do not admit root containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
|
||||
scored: false
|
||||
|
||||
@ -1506,5 +1528,6 @@ groups:
|
||||
text: "Do not admit containers with dangerous capabilities (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
|
||||
scored: false
|
||||
|
@ -225,7 +225,7 @@ groups:
|
||||
- id: 2.1.11
|
||||
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
type: skip
|
||||
type: "skip"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
@ -433,8 +433,9 @@ groups:
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
@ -909,58 +909,73 @@ groups:
|
||||
- id: 1.6.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
|
||||
- id: 1.6.2
|
||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
||||
suggested Pod Security Policies for your environment."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||
suggested Pod Security Policies for your environment.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.3
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.4
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.5
|
||||
text: "Avoid using Kubernetes Secrets (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Use other mechanisms such as vaults to manage your cluster secrets.
|
||||
scored: false
|
||||
|
||||
|
||||
- id: 1.6.6
|
||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
||||
gates=AllAlpha=true\" argument.\n
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to \"--feature-gates=AllAlpha=true\"
|
||||
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to "--feature-gates=AllAlpha=true"
|
||||
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||
scored: false
|
||||
|
||||
- id: 1.6.7
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.8
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
||||
|
@ -484,8 +484,10 @@ groups:
|
||||
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider
|
||||
scored: true
|
||||
|
||||
- id: 1.2
|
||||
@ -572,9 +574,11 @@ groups:
|
||||
- id: 1.3.6
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
||||
\"--feature-gates=RotateKubeletServerCertificate=true\""
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
||||
"--feature-gates=RotateKubeletServerCertificate=true"
|
||||
scored: false
|
||||
|
||||
- id: 1.3.7
|
||||
@ -971,58 +975,73 @@ groups:
|
||||
- id: 1.6.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
|
||||
- id: 1.6.2
|
||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
||||
suggested Pod Security Policies for your environment."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||
suggested Pod Security Policies for your environment.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.3
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.4
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.5
|
||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
||||
gates=AllAlpha=true\" argument.\n
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to \"--feature-gates=AllAlpha=true\"
|
||||
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to "--feature-gates=AllAlpha=true"
|
||||
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||
scored: false
|
||||
|
||||
- id: 1.6.6
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.7
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.8
|
||||
text: "Configure Network policies as appropriate (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||
scored: false
|
||||
|
||||
|
@ -559,6 +559,7 @@ groups:
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider.
|
||||
For example,
|
||||
@ -597,6 +598,7 @@ groups:
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and set the desired audit policy in the
|
||||
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
|
||||
and set the below parameters.
|
||||
@ -608,6 +610,7 @@ groups:
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Edit the API server pod specification file $apiserverconf
|
||||
and set the below parameter as appropriate and if needed. For example,
|
||||
--request-timeout=300s
|
||||
@ -713,6 +716,7 @@ groups:
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
@ -922,8 +926,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file permissions are
|
||||
set to 644 or more restrictive (Not Scored)"
|
||||
audit: "stat -c %a <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod 644 <path/to/cni/files>
|
||||
@ -933,8 +938,9 @@ groups:
|
||||
text: "Ensure that the Container Network Interface file ownership is set
|
||||
to root:root (Not Scored)"
|
||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chown root:root <path/to/cni/files>
|
||||
@ -1263,6 +1269,7 @@ groups:
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings :
|
||||
kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
@ -1271,6 +1278,7 @@ groups:
|
||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||
suggested Pod Security Policies for your environment.
|
||||
@ -1280,6 +1288,7 @@ groups:
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them.
|
||||
scored: false
|
||||
@ -1288,6 +1297,7 @@ groups:
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
@ -1296,6 +1306,7 @@ groups:
|
||||
definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
@ -1322,6 +1333,7 @@ groups:
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
@ -1331,6 +1343,7 @@ groups:
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
||||
|
||||
@ -1338,6 +1351,7 @@ groups:
|
||||
text: "Configure Network policies as appropriate (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||
For example, you could create a "default" isolation policy for a Namespace by creating a
|
||||
NetworkPolicy that selects all pods but does not allow any traffic:
|
||||
@ -1354,5 +1368,6 @@ groups:
|
||||
privileged containers usage (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
|
||||
scored: false
|
||||
|
@ -423,8 +423,9 @@ groups:
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
@ -410,7 +410,7 @@ groups:
|
||||
|
||||
- id: 1.23
|
||||
text: "Verify that the service account lookup flag is not set"
|
||||
type: skip
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 1.24
|
||||
@ -675,8 +675,9 @@ groups:
|
||||
- id: 1.37
|
||||
text: "Adjust the request timeout argument for your cluster resources"
|
||||
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
||||
scored: true
|
||||
|
||||
@ -1313,6 +1314,7 @@ groups:
|
||||
text: "Ensure that the cluster-admin role is only used where required"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review users, groups, serviceaccounts bound to cluster-admin:
|
||||
oc get clusterrolebindings | grep cluster-admin
|
||||
|
||||
@ -1324,6 +1326,7 @@ groups:
|
||||
text: "Verify Security Context Constraints as in use"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review Security Context Constraints:
|
||||
oc get scc
|
||||
|
||||
@ -1341,6 +1344,7 @@ groups:
|
||||
text: "Use OpenShift projects to maintain boundaries between resources"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review projects:
|
||||
oc get projects
|
||||
scored: false
|
||||
@ -1349,6 +1353,7 @@ groups:
|
||||
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Verify on masters the plugin being used:
|
||||
grep networkPluginName /etc/origin/master/master-config.yaml
|
||||
|
||||
@ -1372,6 +1377,7 @@ groups:
|
||||
text: "Enable seccomp and configure custom Security Context Constraints"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Verify SCCs that have been configured with seccomp:
|
||||
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
||||
|
||||
@ -1386,6 +1392,7 @@ groups:
|
||||
text: "Review Security Context Constraints"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review SCCs:
|
||||
oc describe scc
|
||||
|
||||
@ -1410,6 +1417,7 @@ groups:
|
||||
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
||||
scored: false
|
||||
|
||||
@ -1417,6 +1425,7 @@ groups:
|
||||
text: "Configure Network policies as appropriate"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
If ovs-networkplugin is used, review network policies:
|
||||
oc get networkpolicies
|
||||
|
||||
@ -1429,6 +1438,7 @@ groups:
|
||||
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
1) Determine all sccs allowing privileged containers:
|
||||
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
||||
2) Review users and groups assigned to sccs allowing priviliged containers:
|
||||
|
@ -410,7 +410,7 @@ groups:
|
||||
|
||||
- id: 1.23
|
||||
text: "Verify that the service account lookup flag is not set"
|
||||
type: skip
|
||||
type: "skip"
|
||||
scored: true
|
||||
|
||||
- id: 1.24
|
||||
@ -675,8 +675,9 @@ groups:
|
||||
- id: 1.37
|
||||
text: "Adjust the request timeout argument for your cluster resources"
|
||||
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
|
||||
type: manual
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
change the request-timeout value in the /etc/origin/master/master-config.yaml
|
||||
scored: true
|
||||
|
||||
@ -1313,6 +1314,7 @@ groups:
|
||||
text: "Ensure that the cluster-admin role is only used where required"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review users, groups, serviceaccounts bound to cluster-admin:
|
||||
oc get clusterrolebindings | grep cluster-admin
|
||||
|
||||
@ -1324,6 +1326,7 @@ groups:
|
||||
text: "Verify Security Context Constraints as in use"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review Security Context Constraints:
|
||||
oc get scc
|
||||
|
||||
@ -1341,6 +1344,7 @@ groups:
|
||||
text: "Use OpenShift projects to maintain boundaries between resources"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review projects:
|
||||
oc get projects
|
||||
scored: false
|
||||
@ -1349,6 +1353,7 @@ groups:
|
||||
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Verify on masters the plugin being used:
|
||||
grep networkPluginName /etc/origin/master/master-config.yaml
|
||||
|
||||
@ -1372,6 +1377,7 @@ groups:
|
||||
text: "Enable seccomp and configure custom Security Context Constraints"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Verify SCCs that have been configured with seccomp:
|
||||
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
|
||||
|
||||
@ -1386,6 +1392,7 @@ groups:
|
||||
text: "Review Security Context Constraints"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review SCCs:
|
||||
oc describe scc
|
||||
|
||||
@ -1410,6 +1417,7 @@ groups:
|
||||
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
|
||||
scored: false
|
||||
|
||||
@ -1417,6 +1425,7 @@ groups:
|
||||
text: "Configure Network policies as appropriate"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
If ovs-networkplugin is used, review network policies:
|
||||
oc get networkpolicies
|
||||
|
||||
@ -1429,6 +1438,7 @@ groups:
|
||||
text: "Use Security Context Constraints as compensating controls for privileged containers"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
1) Determine all sccs allowing privileged containers:
|
||||
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
|
||||
2) Review users and groups assigned to sccs allowing priviliged containers:
|
||||
|
Loading…
Reference in New Issue
Block a user