diff --git a/cfg/1.8/federated.yaml b/cfg/1.8/federated.yaml index 0c27dc1..b324c50 100644 --- a/cfg/1.8/federated.yaml +++ b/cfg/1.8/federated.yaml @@ -1,6 +1,6 @@ --- controls: -version: 1.7 +version: 1.8 id: 3 text: "Federated Deployments" type: "federated" @@ -8,278 +8,320 @@ groups: - id: 3.1 text: "Federation API Server" checks: - - id: 3.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--anonymous-auth" - compare: - op: eq - value: false - set: true - remediation: "Edit the deployment specs and set --anonymous-auth=false.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.1 + text: "Ensure that the --anonymous-auth argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--anonymous-auth" + compare: + op: eq + value: false + set: true + remediation: | + Edit the deployment specs and set --anonymous-auth=false . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--basic-auth-file" - set: false - remediation: "Follow the documentation and configure alternate mechanisms for authentication. - Then, edit the deployment specs and remove \"--basic-auth-file=\".\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--insecure-allow-any-token" - set: false - remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.4 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--insecure-bind-address" - set: false - remediation: "Edit the deployment specs and remove --insecure-bind-address.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.2 + text: "Ensure that the --basic-auth-file argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--basic-auth-file" + set: false + remediation: | + Follow the documentation and configure alternate mechanisms for authentication. Then, + edit the deployment specs and remove "--basic-auth-file=" . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.5 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--insecure-port" - compare: - op: eq - value: 0 - set: true - remediation: "Edit the deployment specs and set --insecure-port=0.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.3 + text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-allow-any-token" + set: false + remediation: | + Edit the deployment specs and remove --insecure-allow-any-token . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.6 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - bin_op: or - test_items: - - flag: "--secure-port" - compare: - op: gt - value: 0 - set: true - - flag: "--secure-port" - set: false - remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.4 + text: "Ensure that the --insecure-bind-address argument is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-bind-address" + set: false + remediation: | + Edit the deployment specs and remove --insecure-bind-address . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.7 - text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--profiling" - compare: - op: eq - value: false - set: true - remediation: "Edit the deployment specs and set \"--profiling=false\".\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - score: true + - id: 3.1.5 + text: "Ensure that the --insecure-port argument is set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--insecure-port" + compare: + op: eq + value: 0 + set: true + remediation: | + Edit the deployment specs and set --insecure-port=0 . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.8 - text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--admission-control" - compare: - op: nothave - value: AlwaysAdmit - set: true - remediation: "Edit the deployment specs and set --admission-control argument to a value that does - not include AlwaysAdmit.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.6 + text: "Ensure that the --secure-port argument is not set to 0 (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: or + test_items: + - flag: "--secure-port" + compare: + op: gt + value: 0 + set: true + - flag: "--secure-port" + set: false + remediation: | + Edit the deployment specs and set the --secure-port argument to the desired port. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.9 - text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "admission-control" - compare: - op: has - value: "NamespaceLifecycle" - set: true - remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.7 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: | + Edit the deployment specs and set "--profiling=false" : + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + score: true - - id: 3.1.10 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--audit-log-path" - set: true - remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.11 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--audit-log-maxage" - compare: - op: gte - value: 30 - set: true - remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.12 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--audit-log-maxbackup" - compare: - op: gte - value: 10 - set: true - remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.8 + text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--admission-control" + compare: + op: nothave + value: AlwaysAdmit + set: true + remediation: | + Edit the deployment specs and set --admission-control argument to a value that does not + include AlwaysAdmit . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.13 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--audit-log-maxsize" - compare: - op: gte - value: 100 - set: true - remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.9 + text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "admission-control" + compare: + op: has + value: "NamespaceLifecycle" + set: true + remediation: | + Edit the deployment specs and set --admission-control argument to a value that includes + NamespaceLifecycle . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.14 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--authorization-mode" - compare: - op: nothave - value: "AlwaysAllow" - set: true - remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.15 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--token-auth-file" - set: false - remediation: "Follow the documentation and configure alternate mechanisms for authentication. - Then, edit the deployment specs and remove the --token-auth-file= argument.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true - - - id: 3.1.16 - text: "Ensure that the --service-account-lookup argument is set to true (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--service-account-lookup" - compare: - op: eq - value: true - set: true - remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.10 + text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-path" + set: true + remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n + kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" + scored: true - - id: 3.1.17 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - test_items: - - flag: "--service-account-key-file" - set: true - remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.11 + text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxage" + compare: + op: gte + value: 30 + set: true + remediation: | + Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.12 + text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxbackup" + compare: + op: gte + value: 10 + set: true + remediation: | + Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.18 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - bin_op: and - test_items: - - flag: "--etcd-certfile" - set: true - - flag: "--etcd-keyfile" - set: true - remediation: "Follow the Kubernetes documentation and set up the TLS connection between the - federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd- - certfile=\" and \"--etcd- - keyfile=\" arguments.\n - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.13 + text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--audit-log-maxsize" + compare: + op: gte + value: 100 + set: true + remediation: | + Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - - id: 3.1.19 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "ps -ef | grep $fedapiserverbin | grep -v grep" - tests: - bin_op: and - test_items: - - flag: "--tls-cert-file" - set: true - - flag: "--tls-private-key-file" - set: true - remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation - apiserver. Then, edit the deployment specs and set \"--tls-cert-file=\" and \"--tls-private-key-file=\" : - kubectl edit deployments federation-apiserver-deployment --namespace=federation-system" - scored: true + - id: 3.1.14 + text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--authorization-mode" + compare: + op: nothave + value: "AlwaysAllow" + set: true + remediation: | + Edit the deployment specs and set --authorization-mode argument to a value other than + AlwaysAllow + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.15 + text: "Ensure that the --token-auth-file parameter is not set (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--token-auth-file" + set: false + remediation: | + Follow the documentation and configure alternate mechanisms for authentication. Then, + edit the deployment specs and remove the --token-auth-file= argument. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.16 + text: "Ensure that the --service-account-lookup argument is set to true (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-lookup" + compare: + op: eq + value: true + set: true + remediation: | + Edit the deployment specs and set "--service-account-lookup=true" . + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.17 + text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + test_items: + - flag: "--service-account-key-file" + set: true + remediation: | + Edit the deployment specs and set --service-account-key-file argument as appropriate. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.18 + text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as + appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--etcd-certfile" + set: true + - flag: "--etcd-keyfile" + set: true + remediation: | + Follow the Kubernetes documentation and set up the TLS connection between the + federation apiserver and etcd. Then, edit the deployment specs and set "--etcd- + certfile=" and "--etcd- + keyfile=" arguments. + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true + + - id: 3.1.19 + text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as + appropriate (Scored)" + audit: "ps -ef | grep $fedapiserverbin | grep -v grep" + tests: + bin_op: and + test_items: + - flag: "--tls-cert-file" + set: true + - flag: "--tls-private-key-file" + set: true + remediation: | + Follow the Kubernetes documentation and set up the TLS connection on the federation + apiserver. Then, edit the deployment specs and set "--tls-cert-file=" and "--tls-private-key-file=" : + kubectl edit deployments federation-apiserver-deployment -- + namespace=federation-system + scored: true - id: 3.2 text: "Federation Controller Manager" checks: - - id: 3.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" - audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" - tests: - test_items: - - flag: "--profiling" - compare: - op: eq - value: false - set: true - remediation: "Edit the deployment specs and set \"--profiling=false\".\n - kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system" - scored: true + - id: 3.2.1 + text: "Ensure that the --profiling argument is set to false (Scored)" + audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep" + tests: + test_items: + - flag: "--profiling" + compare: + op: eq + value: false + set: true + remediation: | + Edit the deployment specs and set "--profiling=false" : + kubectl edit deployments federation-controller-manager-deployment -- + namespace=federation-system + scored: true