From e70f50b2b5a1064b1a72460da7feb7cbf38d0d58 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 16 Apr 2019 06:01:51 +0000 Subject: [PATCH 1/4] update files --- cfg/ocp-3.10/master.yaml | 2954 +++++++++++++++++++------------------- cfg/ocp-3.10/node.yaml | 752 +++++----- 2 files changed, 1830 insertions(+), 1876 deletions(-) diff --git a/cfg/ocp-3.10/master.yaml b/cfg/ocp-3.10/master.yaml index 3cb07bf..4c44044 100644 --- a/cfg/ocp-3.10/master.yaml +++ b/cfg/ocp-3.10/master.yaml @@ -1,1500 +1,1454 @@ ---- -controls: -version: 1.6 -id: 1 -text: "Master Node Security Configuration" -type: "master" -groups: -- id: 1.1 - text: "API Server" - checks: - - id: 1.1.1 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - type: "skip" - scored: true - - - id: 1.1.2 - text: "Ensure that the --basic-auth-file argument is not set (Scored)" - audit: "grep -A2 basic-auth-file /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "--basic-auth-file" - compare: - op: eq - value: "" - set: false - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml and - remove the basic-auth-file entry. - - kubernetesMasterConfig: -  apiServerArguments: -    basic-auth-file: -    - /path/to/any/file - scored: true - - - id: 1.1.3 - text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" - type: "skip" - scored: true - - - id: 1.1.4 - text: "Ensure that the --kubelet-https argument is set to true (Scored)" - audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" - tests: - bin_op: and - test_items: - - flag: "kubeletClientInfo:" - compare: - op: eq - value: "kubeletClientInfo:" - set: true - - flag: "ca: ca-bundle.crt" - compare: - op: has - value: "ca-bundle.crt" - set: true - - flag: "certFile: master.kubelet-client.crt" - compare: - op: has - value: "master.kubelet-client.crt" - set: true - - flag: "keyFile: master.kubelet-client.key" - compare: - op: has - value: "master.kubelet-client.key" - set: true - - flag: "port: 10250" - compare: - op: eq - value: "port: 10250" - set: true - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and change it to match the below. - - kubeletClientInfo: -  ca: ca-bundle.crt -  certFile: master.kubelet-client.crt -  keyFile: master.kubelet-client.key -  port: 10250 - scored: true - - - id: 1.1.5 - text: "Ensure that the --insecure-bind-address argument is not set (Scored)" - audit: "grep -A2 insecure-bind-address /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "insecure-bind-address" - set: false - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and remove the insecure-bind-address entry. - - kubernetesMasterConfig: -  apiServerArguments: -    insecure-bind-address: -    - 127.0.0.1 - scored: true - - - id: 1.1.6 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "grep -A2 insecure-port /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "insecure-port" - set: false - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and remove the insecure-port entry. - - kubernetesMasterConfig: -  apiServerArguments: -   insecure-port: -  - 0 - scored: true - - - id: 1.1.7 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "grep -A2 secure-port /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "secure-port" - set: false - - flag: "secure-port" - compare: - op: nothave - value: "0" - set: true - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and either remove the secure-port parameter or set it to a different (non-zero) - desired port. - - kubernetesMasterConfig: -  apiServerArguments: -   secure-port: -  - 8443 - scored: true - - - id: 1.1.8 - text: "Ensure that the --profiling argument is set to false (Scored)" - type: "skip" - scored: true - - - id: 1.1.9 - text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" - audit: "grep -A2 repair-malformed-updates /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "repair-malformed-updates" - set: false - - flag: "repair-malformed-updates" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and remove the repair-malformed-updates entry or set repair-malformed-updates=true. - scored: true - - - id: 1.1.10 - text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" - audit: "grep -A4 AlwaysAdmit /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "AlwaysAdmit" - set: false - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and remove the the entry below. - - AlwaysAdmit: - configuration: - kind: DefaultAdmissionConfig - apiVersion: v1 - disable: false - scored: true - - - id: 1.1.11 - text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" - audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "disable: false" - compare: - op: has - value: "false" - set: true - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and add the the entry below. - - admissionConfig: - pluginConfig: - AlwaysPullImages: - configuration: - kind: DefaultAdmissionConfig - apiVersion: v1 - disable: false - scored: true - - - id: 1.1.12 - text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)" - type: "skip" - scored: true - - - id: 1.1.13 - text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)" - type: "skip" - scored: true - - - id: 1.1.14 - text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" - audit: "grep -A4 NamespaceLifecycle /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "NamespaceLifecycle" - set: false - remediation: | - Edit the kubernetes master config file /etc/origin/master/master-config.yaml - and remove the following entry. - - NamespaceLifecycle: - configuration: - kind: DefaultAdmissionConfig - apiVersion: v1 - disable: true - scored: true - - - id: 1.1.15 - text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" - audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "enabled: true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server. - - auditConfig: - auditFilePath: "/var/log/audit-ocp.log" - enabled: true - maximumFileRetentionDays: 10 - maximumFileSizeMegabytes: 100 - maximumRetainedFiles: 10 - - Make the same changes in the inventory/ansible variables so the changes are not - lost when an upgrade occurs. - scored: true - - - id: 1.1.16 - text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" - audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "maximumFileRetentionDays: 10" - compare: - op: has - value: "maximumFileRetentionDays" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml, - update the maximumFileRetentionDays entry and restart the API server. - - auditConfig: - auditFilePath: "/var/log/audit-ocp.log" - enabled: true - maximumFileRetentionDays: 10 - maximumFileSizeMegabytes: 100 - maximumRetainedFiles: 10 - - Make the same changes in the inventory/ansible variables so the changes are not - lost when an upgrade occurs. - scored: true - - - id: 1.1.17 - text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" - audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "maximumRetainedFiles: 10" - compare: - op: has - value: "maximumRetainedFiles" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, - set enabled to true and restart the API server. - - auditConfig: - auditFilePath: "/var/log/audit-ocp.log" - enabled: true - maximumFileRetentionDays: 10 - maximumFileSizeMegabytes: 100 - maximumRetainedFiles: 10 - - Make the same changes in the inventory/ansible variables so the changes are not - lost when an upgrade occurs. - scored: true - - - id: 1.1.18 - text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" - audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "maximumFileSizeMegabytes: 100" - compare: - op: has - value: "maximumFileSizeMegabytes" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, - set enabled to true and restart the API server. - - auditConfig: - auditFilePath: "/var/log/audit-ocp.log" - enabled: true - maximumFileRetentionDays: 10 - maximumFileSizeMegabytes: 100 - maximumRetainedFiles: 10 - - Make the same changes in the inventory/ansible variables so the changes are not - lost when an upgrade occurs. - scored: true - - - id: 1.1.19 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "grep -A1 authorization-mode /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "authorization-mode" - set: false - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode - entry. - - kubernetesMasterConfig: -  apiServerArguments: -    authorization-mode: -    - AllowAll - scored: true - - - id: 1.1.20 - text: "Ensure that the --token-auth-file parameter is not set (Scored)" - audit: "grep token-auth-file /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "token-auth-file" - set: false - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file - entry under apiserverArguments section. - - kubernetesMasterConfig: -  apiServerArguments: -    token-auth-file: -    - /path/to/file - scored: true - - - id: 1.1.21 - text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" - audit: "grep -A1 kubelet-certificate-authority /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "kubelet-certificate-authority" - set: false - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following - configuration under apiserverArguments section. - - kubernetesMasterConfig: -  apiServerArguments: -    kubelet-certificat-authority: -    - /path/to/ca - scored: true - - - id: 1.1.22 - text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" - audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" - tests: - bin_op: and - test_items: - - flag: "keyFile: master.kubelet-client.key" - compare: - op: has - value: "keyFile: master.kubelet-client.key" - set: true - - flag: "certFile: master.kubelet-client.crt" - compare: - op: has - value: "certFile: master.kubelet-client.crt" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following - configuration under kubeletClientInfo - - kubeletClientInfo: -  ca: ca-bundle.crt -  certFile: master.kubelet-client.crt -  keyFile: master.kubelet-client.key - port: 10250 - scored: true - - - id: 1.1.23 - text: "Ensure that the --service-account-lookup argument is set to true" - type: skip - scored: true - - - id: 1.1.24 - text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" - type: "skip" - scored: true - - - id: 1.1.25 - text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" - audit: "grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml" - tests: - bin_op: and - test_items: - - flag: "privateKeyFile: serviceaccounts.private.key" - compare: - op: has - value: "privateKeyFile: serviceaccounts.private.key" - set: true - - flag: "serviceaccounts.public.key" - compare: - op: has - value: "serviceaccounts.public.key" - set: true - remediation: | - OpenShift API server does not use the service-account-key-file argument. - Even if value is set in master-config.yaml, it will not be used to verify - service account tokens, as it is in upstream Kubernetes. The ServiceAccount - token authenticator is configured with serviceAccountConfig.publicKeyFiles in - the master-config.yaml. OpenShift does not reuse the apiserver TLS key. - - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile - and publicKeyFile configuration under serviceAccountConfig. - - serviceAccountConfig: -  limitSecretReferences: false -  managedNames: - - default -  - builder -  - deployer -  masterCA: ca-bundle.crt -   privateKeyFile: serviceaccounts.private.key -  publicKeyFiles: -  - serviceaccounts.public.key - - Verify that privateKeyFile and publicKeyFile exist and set. - scored: true - - - id: 1.1.26 - text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)" - audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" - tests: - bin_op: and - test_items: - - flag: "certFile: master.etcd-client.crt" - compare: - op: has - value: "certFile: master.etcd-client.crt" - set: true - - flag: "keyFile: master.etcd-client.key" - compare: - op: has - value: "keyFile: master.etcd-client.key" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile - under etcdClientInfo like below. - - etcdClientInfo: -  ca: master.etcd-ca.crt - certFile: master.etcd-client.crt - keyFile: master.etcd-client.key - scored: true - - - id: 1.1.27 - text: "Ensure that the admission control plugin ServiceAccount is set (Scored)" - audit: "grep -A4 ServiceAccount /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "ServiceAccount" - set: false - - flag: "disable: false" - compare: - op: has - value: "disable: false" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount - admission control policy. - - ServiceAccount: - configuration: - kind: DefaultAdmissionConfig - apiVersion: v1 - disable: false - scored: true - - - id: 1.1.28 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml" - tests: - bin_op: and - test_items: - - flag: "certFile: master.server.crt" - compare: - op: has - value: "certFile: master.server.crt" - set: true - - flag: "keyFile: master.server.key" - compare: - op: has - value: "keyFile: master.server.key" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo. - - servingInfo: -  bindAddress: 0.0.0.0:8443 -   bindNetwork: tcp4 - certFile: master.server.crt - clientCA: ca.crt - keyFile: master.server.key - maxRequestsInFlight: 500 - requestTimeoutSeconds: 3600 - scored: true - - - id: 1.1.29 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "clientCA: ca.crt" - compare: - op: has - value: "clientCA: ca.crt" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo. - - servingInfo: -  bindAddress: 0.0.0.0:8443 -   bindNetwork: tcp4 - certFile: master.server.crt - clientCA: ca.crt - keyFile: master.server.key - maxRequestsInFlight: 500 - requestTimeoutSeconds: 3600 - scored: true - - - id: 1.1.30 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "ca: master.etcd-ca.crt" - compare: - op: has - value: "ca: master.etcd-ca.crt" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo. - - etcdClientInfo: -   ca: master.etcd-ca.crt - certFile: master.etcd-client.crt - keyFile: master.etcd-client.key - scored: true - - - id: 1.1.31 - text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" - type: "skip" - scored: true - - - id: 1.1.32 - text: "Ensure that the --authorization-mode argument is set to Node (Scored)" - audit: "grep -A4 NodeRestriction /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "NodeRestriction" - set: false - - flag: "disable: false" - compare: - op: has - value: "disable: false" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo. - - NodeRestriction: - configuration: - kind: DefaultAdmissionConfig - apiVersion: v1 - disable: false - scored: true - - - id: 1.1.33 - text: "Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)" - audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "experimental-encryption-provider-config:" - compare: - op: has - value: "experimental-encryption-provider-config:" - set: true - remediation: | - Follow the instructions in the documentation to configure encryption. - https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html - scored: true - - - id: 1.1.34 - text: "Ensure that the encryption provider is set to aescbc (Scored)" - audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs grep -A1 providers" - tests: - test_items: - - flag: "aescbc:" - compare: - op: has - value: "aescbc:" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. - See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html. - scored: true - - - id: 1.1.35 - text: "Ensure that the admission control policy is set to EventRateLimit (Scored)" - audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "disable: false" - compare: - op: has - value: "disable: false" - set: true - remediation: | - Follow the documentation to enable the EventRateLimit plugin. - https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules - scored: true - - - id: 1.1.36 - text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" - audit: "grep AdvancedAuditing /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "AdvancedAuditing" - compare: - op: eq - value: "true" - set: true - - flag: "AdvancedAuditing" - set: false - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing, - - kubernetesMasterConfig: -  apiServerArguments: - feature-gates: - - AdvancedAuditing=true - scored: true - - # Review 1.1.37 in Aquasec shared doc, the tests are net zero. - - id: 1.1.37 - text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" - audit: "grep request-timeout /etc/origin/master/master-config.yaml" - type: manual - remediation: | - change the request-timeout value in the  /etc/origin/master/master-config.yaml - scored: true - - -- id: 1.2 - text: "Scheduler" - checks: - - id: 1.2.1 - text: "Ensure that the --profiling argument is set to false (Scored)" - type: "skip" - scored: true - - -- id: 1.3 - text: "Controller Manager" - checks: - - id: 1.3.1 - text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" - audit: "grep terminated-pod-gc-threshold -A1 /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold. - - kubernetesMasterConfig: -  controllerArguments: -     terminated-pod-gc-threshold: -    - true - - Enabling the "terminated-pod-gc-threshold" settings is optional. - scored: true - - - id: 1.3.2 - text: "Ensure that the --profiling argument is set to false (Scored)" - type: "skip" - scored: true - - - id: 1.3.3 - text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" - audit: "grep -A2 use-service-account-credentials /etc/origin/master/master-config.yaml" - tests: - bin_op: or - test_items: - - flag: "use-service-account-credentials" - set: false - - flag: "true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials - to true under controllerArguments section. - - kubernetesMasterConfig: -  controllerArguments: -     use-service-account-credentials: -     - true - scored: true - - # Review 1.3.4 - - id: 1.3.4 - text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" - audit: | - grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile; - grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml - tests: - bin_op: and - test_items: - - flag: "privateKeyFile: serviceaccounts.private.key" - compare: - op: has - value: "privateKeyFile" - - flag: "service-account-private-key-file" - set: false - remediation: - Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file - scored: true - - # Review 1.3.5 - - id: 1.3.5 - text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" - audit: "/bin/sh -c 'grep root-ca-file /etc/origin/master/master-config.yaml; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml'" - tests: - bin_op: and - test_items: - - flag: "root-ca-file=/etc/origin/master/ca-bundle.crt" - compare: - op: has - value: "/etc/origin/master/ca-bundle.crt" - set: true - test_items: - - flag: "masterCA: ca-bundle.crt" - compare: - op: has - value: "ca-bundle.crt" - set: true - remediation: - Reset to OpenShift defaults OpenShift starts kube-controller-manager with - root-ca-file=/etc/origin/master/ca-bundle.crt by default.  OpenShift Advanced - Installation creates this certificate authority and configuration without any - configuration required. - - https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html" - scored: true - - - id: 1.3.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" - type: "skip" - scored: false - - - id: 1.3.7 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "grep -B3 RotateKubeletServerCertificate=true /etc/origin/master/master-config.yaml" - tests: - test_items: - - flag: "RotateKubeletServerCertificate" - compare: - op: eq - value: "true" - set: true - remediation: - If you decide not to enable the RotateKubeletServerCertificate feature, - be sure to use the Ansible playbooks provided with the OpenShift installer to - automate re-deploying certificates. - scored: true - - -- id: 1.4 - text: "Configuration Files" - checks: - - id: 1.4.1 - text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/node/pods/apiserver.yaml - scored: true - - - id: 1.4.2 - text: "Ensure that the API server pod specification file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/node/pods/apiserver.yaml - scored: true - - - id: 1.4.3 - text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/pods/controller.yaml" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command on the master node. - - chmod 644 /etc/origin/node/pods/controllermanager.yaml - scored: true - - - id: 1.4.4 - text: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/node/pods/controllermanager.yaml - scored: true - - - id: 1.4.5 - text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/node/pods/apiserver.yaml - scored: true - - - id: 1.4.6 - text: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/node/pods/apiserver.yaml - scored: true - - - id: 1.4.7 - text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/pods/etcd.yaml" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/node/pods/etcd.yaml - scored: true - - - id: 1.4.8 - text: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/pods/etcd.yaml" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/node/pods/etcd.yaml - scored: true - - - id: 1.4.9 - text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/openvswitch/" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/openvswitch/ - scored: true - - - id: 1.4.10 - text: "Ensure that the Container Network Interface file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/openvswitch/" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/openvswitch/ - scored: true - - - id: 1.4.11 - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive(Scored)" - audit: "stat -c %a /var/lib/etcd" - tests: - test_items: - - flag: "700" - compare: - op: eq - value: "700" - set: true - remediation: | - On the etcd server node, get the etcd data directory, passed as an argument --data-dir , - from the below command: - ps -ef | grep etcd - Run the below command (based on the etcd data directory found above). For example, - chmod 700 /var/lib/etcd - scored: true - - - id: 1.4.12 - text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "stat -c %U:%G /var/lib/etcd" - tests: - test_items: - - flag: "etcd:etcd" - compare: - op: eq - value: "etcd:etcd" - set: true - remediation: | - Run the below command on the master node. - - chown etcd:etcd /var/lib/etcd - scored: true - - - id: 1.4.13 - text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/master/admin.kubeconfig" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/master/admin.kubeconfig" - scored: true - - - id: 1.4.14 - text: "Ensure that the admin.conf file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/master/admin.kubeconfig" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/master/admin.kubeconfig - scored: true - - - id: 1.4.15 - text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/master/openshift-master.kubeconfig - scored: true - - - id: 1.4.16 - text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/master/openshift-master.kubeconfig - scored: true - - - id: 1.4.17 - text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command. - - chmod 644 /etc/origin/master/openshift-master.kubeconfig - scored: true - - - id: 1.4.18 - text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: "root:root" - set: true - remediation: | - Run the below command on the master node. - - chown root:root /etc/origin/master/openshift-master.kubeconfig - scored: true - - -- id: 1.5 - text: "Etcd" - checks: - - id: 1.5.1 - text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" - audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CERT_FILE=/etc/etcd/server.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep etcd_key_file=/etc/etcd/server.key /proc/1/environ; grep ETCD_CERT_FILE=/etc/etcd/server.crt /etc/etcd/etcd.conf; grep ETCD_KEY_FILE=/etc/etcd/server.key /etc/etcd/etcd.conf'" - tests: - bin_op: and - test_items: - - flag: "Binary file /proc/1/environ matches" - compare: - op: has - value: "Binary file /proc/1/environ matches" - set: true - - flag: "ETCD_CERT_FILE=/etc/etcd/server.crt" - compare: - op: has - value: "ETCD_CERT_FILE=/etc/etcd/server.crt" - set: true - - flag: "ETCD_KEY_FILE=/etc/etcd/server.key" - compare: - op: has - value: "ETCD_KEY_FILE=/etc/etcd/server.key" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.2 - text: "Ensure that the --client-cert-auth argument is set to true (Scored)" - audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" - tests: - bin_op: and - test_items: - - flag: "Binary file /proc/1/environ matches" - compare: - op: has - value: "Binary file /proc/1/environ matches" - set: true - - flag: "ETCD_CLIENT_CERT_AUTH=true" - compare: - op: has - value: "ETCD_CLIENT_CERT_AUTH=true" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.3 - text: "Ensure that the --auto-tls argument is not set to true (Scored)" - audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_AUTO_TLS /proc/1/environ; grep ETCD_AUTO_TLS /etc/etcd/etcd.conf'" - tests: - bin_op: or - test_items: - - flag: "ETCD_AUTO_TLS=false" - compare: - op: has - value: "ETCD_AUTO_TLS=false" - set: true - - flag: "#ETCD_AUTO_TLS" - compare: - op: has - value: "#ETCD_AUTO_TLS" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.4 - text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" - audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'" - tests: - bin_op: and - test_items: - - flag: "Binary file /proc/1/environ matches" - compare: - op: has - value: "Binary file /proc/1/environ matches" - set: true - - flag: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt" - compare: - op: has - value: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt" - set: true - - flag: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key" - compare: - op: has - value: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.5 - text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" - audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_PEER_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" - tests: - bin_op: and - test_items: - - flag: "Binary file /proc/1/environ matches" - compare: - op: has - value: "Binary file /proc/1/environ matches" - set: true - - flag: "ETCD_PEER_CLIENT_CERT_AUTH=true" - compare: - op: has - value: "ETCD_PEER_CLIENT_CERT_AUTH=true" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.6 - text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" - audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'" - tests: - bin_op: and - test_items: - - flag: "Binary file /proc/1/environ matches" - compare: - op: has - value: "Binary file /proc/1/environ matches" - set: true - - flag: "#ETCD_PEER_AUTO_TLS=false" - compare: - op: has - value: "#ETCD_PEER_AUTO_TLS=false" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: true - - - id: 1.5.7 - text: "Ensure that the --wal-dir argument is set as appropriate Scored)" - type: "skip" - scored: true - - - id: 1.5.8 - text: "Ensure that the --max-wals argument is set to 0 (Scored)" - type: "skip" - scored: true - - - id: 1.5.9 - text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" - audit: "openssl x509 -in /etc/origin/master/master.etcd-ca.crt -subject -issuer -noout | sed 's/@/ /'" - tests: - test_items: - - flag: "issuer= /CN=etcd-signer" - compare: - op: has - value: "issuer= /CN=etcd-signer" - set: true - remediation: | - Reset to the OpenShift default configuration. - scored: false - - -- id: 1.6 - text: "General Security Primitives" - checks: - - id: 1.6.1 - text: "Ensure that the cluster-admin role is only used where required (Not Scored)" - type: "manual" - remediation: | - Review users, groups, serviceaccounts bound to cluster-admin: - oc get clusterrolebindings | grep cluster-admin - - Review users and groups bound to cluster-admin and decide whether they require - such access. Consider creating least-privilege roles for users and service accounts - scored: false - - - id: 1.6.2 - text: "Create Pod Security Policies for your cluster (Not Scored)" - type: "manual" - remediation: | - Review Security Context Constraints: - oc get scc - - Use OpenShift's Security Context Constraint feature, which has been contributed - to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. - OpenShift ships with two SCCs: restricted and privileged. - - The two default SCCs will be created when the master is started. The restricted - SCC is granted to all authenticated users by default. - - https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html" - scored: false - - - id: 1.6.3 - text: "Create administrative boundaries between resources using namespaces (Not Scored)" - type: "manual" - remediation: | - Review projects: - oc get projects - scored: false - - - id: 1.6.4 - text: "Create network segmentation using Network Policies (Not Scored)" - type: "manual" - remediation: | - Verify on masters the plugin being used: - grep networkPluginName /etc/origin/master/master-config.yaml - - OpenShift provides multi-tenant networking isolation (using Open vSwich and - vXLAN), to segregate network traffic between containers belonging to different - tenants (users or applications) while running on a shared cluster. Red Hat also - works with 3rd-party SDN vendors to provide the same level of capabilities - integrated with OpenShift. OpenShift SDN is included a part of OpenShift - subscription. - - OpenShift supports Kubernetes NetworkPolicy. Administrator must configure - NetworkPolicies if desired. - - https://docs.openshift.com/container-platform/3.10/architecture/networking/sdn.html#architecture-additional-concepts-sdn - - Ansible Inventory variable: os_sdn_network_plugin_name: - https://docs.openshift.com/container-platform/3.10/install/configuring_inventory_file.html - scored: false - - - id: 1.6.5 - text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" - type: "manual" - remediation: | - Verify SCCs that have been configured with seccomp: - oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles - - OpenShift does not enable seccomp by default. To configure seccomp profiles that - are applied to pods run by the SCC, follow the instructions in the - documentation: - - https://docs.openshift.com/container-platform/3.9/admin_guide/seccomp.html#admin-guide-seccomp - scored: false - - - id: 1.6.6 - text: "Apply Security Context to Your Pods and Containers (Not Scored)" - type: "manual" - remediation: | - Review SCCs: - oc describe scc - - Use OpenShift's Security Context Constraint feature, which has been contributed - to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. - - OpenShift ships with two SCCs: restricted and privileged. The two default SCCs - will be created when the master is started. The restricted SCC is granted to - all authenticated users by default. - - All pods are run under the restricted SCC by default. Running a pod under any - other SCC requires an account with cluster admin capabilities to grant access - for the service account. - - SecurityContextConstraints limit what securityContext is applied to pods and - containers. - - https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html - scored: false - - - id: 1.6.7 - text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" - type: "manual" - remediation: | - Review imagePolicyConfig in /etc/origin/master/master-config.yaml. - scored: false - - - id: 1.6.8 - text: "Configure Network policies as appropriate (Not Scored)" - type: "manual" - remediation: | - If ovs-networkplugin is used, review network policies: - oc get networkpolicies - - OpenShift supports Kubernetes NetworkPolicy via ovs-networkpolicy plugin. - If choosing ovs-multitenant plugin, each namespace is isolated in its own - netnamespace by default. - scored: false - - - id: 1.6.9 - text: "Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)" - type: "manual" - remediation: | - 1) Determine all sccs allowing privileged containers: - oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer - 2) Review users and groups assigned to sccs allowing priviliged containers: - oc describe sccs - - Use OpenShift's Security Context Constraint feature, which has been contributed - to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. - - OpenShift ships with two SCCs: restricted and privileged. The two default SCCs - will be created when the master is started. The restricted SCC is granted to all - authenticated users by default. - - Similar scenarios are documented in the SCC - documentation, which outlines granting SCC access to specific serviceaccounts. - Administrators may create least-restrictive SCCs based on individual container - needs. - - For example, if a container only requires running as the root user, the anyuid - SCC can be used, which will not expose additional access granted by running - privileged containers. - - https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html - scored: false +--- +controls: +version: 3.10 +id: 1 +text: "Securing the OpenShift Master" +type: "master" +groups: + +- id: 1 + text: "Protecting the API Server" + checks: + - id: 1.1 + text: "Maintain default behavior for anonymous access" + type: "skip" + scored: true + + - id: 1.2 + text: "Verify that the basic-auth-file method is not enabled" + audit: "grep -A2 basic-auth-file /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "--basic-auth-file" + compare: + op: eq + value: "" + set: false + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml and + remove the basic-auth-file entry. + + kubernetesMasterConfig: +  apiServerArguments: +    basic-auth-file: +    - /path/to/any/file + scored: true + + - id: 1.3 + text: "Insecure Tokens" + type: "skip" + scored: true + + - id: 1.4 + text: "Secure communications between the API server and master nodes" + audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" + tests: + bin_op: and + test_items: + - flag: "kubeletClientInfo:" + compare: + op: eq + value: "kubeletClientInfo:" + set: true + - flag: "ca: ca-bundle.crt" + compare: + op: has + value: "ca-bundle.crt" + set: true + - flag: "certFile: master.kubelet-client.crt" + compare: + op: has + value: "master.kubelet-client.crt" + set: true + - flag: "keyFile: master.kubelet-client.key" + compare: + op: has + value: "master.kubelet-client.key" + set: true + - flag: "port: 10250" + compare: + op: eq + value: "port: 10250" + set: true + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and change it to match the below. + + kubeletClientInfo: +  ca: ca-bundle.crt +  certFile: master.kubelet-client.crt +  keyFile: master.kubelet-client.key +  port: 10250 + scored: true + + - id: 1.5 + text: "Prevent insecure bindings" + audit: "grep -A2 insecure-bind-address /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "insecure-bind-address" + set: false + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and remove the insecure-bind-address entry. + + kubernetesMasterConfig: +  apiServerArguments: +    insecure-bind-address: +    - 127.0.0.1 + scored: true + + - id: 1.6 + text: "Prevent insecure port access" + audit: "grep -A2 insecure-port /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "insecure-port" + set: false + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and remove the insecure-port entry. + + kubernetesMasterConfig: +  apiServerArguments: +   insecure-port: +  - 0 + scored: true + + - id: 1.7 + text: "Use Secure Ports for API Server Traffic" + audit: "grep -A2 secure-port /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "secure-port" + set: false + - flag: "secure-port" + compare: + op: nothave + value: "0" + set: true + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and either remove the secure-port parameter or set it to a different (non-zero) + desired port. + + kubernetesMasterConfig: +  apiServerArguments: +   secure-port: +  - 8443 + scored: true + + - id: 1.8 + text: "Do not expose API server profiling data" + type: "skip" + scored: true + + - id: 1.9 + text: "Verify repair-malformed-updates argument for API compatibility" + audit: "grep -A2 repair-malformed-updates /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "repair-malformed-updates" + set: false + - flag: "repair-malformed-updates" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and remove the repair-malformed-updates entry or set repair-malformed-updates=true. + scored: true + + - id: 1.10 + text: "Verify that the AlwaysAdmit admission controller is disabled" + audit: "grep -A4 AlwaysAdmit /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "AlwaysAdmit" + set: false + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and remove the the entry below. + + AlwaysAdmit: + configuration: + kind: DefaultAdmissionConfig + apiVersion: v1 + disable: false + scored: true + + - id: 1.11 + text: "Manage the AlwaysPullImages admission controller" + audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "disable: false" + compare: + op: has + value: "false" + set: true + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and add the the entry below. + + admissionConfig: + pluginConfig: + AlwaysPullImages: + configuration: + kind: DefaultAdmissionConfig + apiVersion: v1 + disable: false + scored: true + + - id: 1.12 + text: "Use Security Context Constraints instead of DenyEscalatingExec admission" + type: "skip" + scored: true + + - id: 1.13 + text: "Use Security Context Constraints instead of the SecurityContextDeny admission controller" + type: "skip" + scored: true + + - id: 1.14 + text: "Manage the NamespaceLifecycle admission controller" + audit: "grep -A4 NamespaceLifecycle /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "NamespaceLifecycle" + set: false + remediation: | + Edit the kubernetes master config file /etc/origin/master/master-config.yaml + and remove the following entry. + + NamespaceLifecycle: + configuration: + kind: DefaultAdmissionConfig + apiVersion: v1 + disable: true + scored: true + + - id: 1.15 + text: "Configure API server auditing - audit log file path" + audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "enabled: true" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server. + + auditConfig: + auditFilePath: ""/etc/origin/master/audit-ocp.log"" + enabled: true + maximumFileRetentionDays: 30 + maximumFileSizeMegabytes: 10 + maximumRetainedFiles: 10 + + Make the same changes in the inventory/ansible variables so the changes are not + lost when an upgrade occurs. + scored: true + + - id: 1.16 + text: "Configure API server auditing - audit log retention" + audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "maximumFileRetentionDays: 30" + compare: + op: has + value: "maximumFileRetentionDays" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml, + update the maximumFileRetentionDays entry and restart the API server. + + auditConfig: + auditFilePath: ""/etc/origin/master/audit-ocp.log"" + enabled: true + maximumFileRetentionDays: 30 + maximumFileSizeMegabytes: 10 + maximumRetainedFiles: 10 + + Make the same changes in the inventory/ansible variables so the changes are not + lost when an upgrade occurs. + scored: true + + - id: 1.17 + text: "Configure API server auditing - audit log backup retention" + audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "maximumRetainedFiles: 10" + compare: + op: has + value: "maximumRetainedFiles" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, + set enabled to true and restart the API server. + + auditConfig: + auditFilePath: ""/etc/origin/master/audit-ocp.log"" + enabled: true + maximumFileRetentionDays: 30 + maximumFileSizeMegabytes: 10 + maximumRetainedFiles: 10 + + Make the same changes in the inventory/ansible variables so the changes are not + lost when an upgrade occurs. + scored: true + + - id: 1.18 + text: "Configure audit log file size" + audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "maximumFileSizeMegabytes: 30" + compare: + op: has + value: "maximumFileSizeMegabytes" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, + set enabled to true and restart the API server. + + auditConfig: + auditFilePath: ""/etc/origin/master/audit-ocp.log"" + enabled: true + maximumFileRetentionDays: 30 + maximumFileSizeMegabytes: 10 + maximumRetainedFiles: 10 + + Make the same changes in the inventory/ansible variables so the changes are not + lost when an upgrade occurs. + scored: true + + - id: 1.19 + text: "Verify that authorization-mode is not set to AlwaysAllow" + audit: "grep -A1 authorization-mode /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "authorization-mode" + set: false + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode + entry. + + kubernetesMasterConfig: +  apiServerArguments: +    authorization-mode: +    - AllowAll + scored: true + + - id: 1.20 + text: "Verify that the token-auth-file flag is not set" + audit: "grep token-auth-file /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "token-auth-file" + set: false + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file + entry under apiserverArguments section. + + kubernetesMasterConfig: +  apiServerArguments: +    token-auth-file: +    - /path/to/file + scored: true + + - id: 1.21 + text: "Verify the API server certificate authority" + audit: "grep -A1 kubelet-certificate-authority /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "kubelet-certificate-authority" + set: false + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following + configuration under apiserverArguments section. + + kubernetesMasterConfig: +  apiServerArguments: +    kubelet-certificat-authority: +    - /path/to/ca + scored: true + + - id: 1.22 + text: "Verify the API server client certificate and client key" + audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" + tests: + bin_op: and + test_items: + - flag: "keyFile: master.kubelet-client.key" + compare: + op: has + value: "keyFile: master.kubelet-client.key" + set: true + - flag: "certFile: master.kubelet-client.crt" + compare: + op: has + value: "certFile: master.kubelet-client.crt" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following + configuration under kubeletClientInfo + + kubeletClientInfo: +  ca: ca-bundle.crt +  certFile: master.kubelet-client.crt +  keyFile: master.kubelet-client.key + port: 10250 + scored: true + + - id: 1.23 + text: "Verify that the service account lookup flag is not set" + type: skip + scored: true + + - id: 1.24 + text: "Verify the PodSecurityPolicy is disabled to ensure use of SecurityContextConstraints" + type: "skip" + scored: true + + - id: 1.25 + text: "Verify that the service account key file argument is not set" + audit: "grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml" + tests: + bin_op: and + test_items: + - flag: "privateKeyFile: serviceaccounts.private.key" + compare: + op: has + value: "privateKeyFile: serviceaccounts.private.key" + set: true + - flag: "serviceaccounts.public.key" + compare: + op: has + value: "serviceaccounts.public.key" + set: true + remediation: | + OpenShift API server does not use the service-account-key-file argument. + Even if value is set in master-config.yaml, it will not be used to verify + service account tokens, as it is in upstream Kubernetes. The ServiceAccount + token authenticator is configured with serviceAccountConfig.publicKeyFiles in + the master-config.yaml. OpenShift does not reuse the apiserver TLS key. + + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile + and publicKeyFile configuration under serviceAccountConfig. + + serviceAccountConfig: +  limitSecretReferences: false +  managedNames: + - default +  - builder +  - deployer +  masterCA: ca-bundle.crt +   privateKeyFile: serviceaccounts.private.key +  publicKeyFiles: +  - serviceaccounts.public.key + + Verify that privateKeyFile and publicKeyFile exist and set. + scored: true + + - id: 1.26 + text: "Verify the certificate and key used for communication with etcd" + audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" + tests: + bin_op: and + test_items: + - flag: "certFile: master.etcd-client.crt" + compare: + op: has + value: "certFile: master.etcd-client.crt" + set: true + - flag: "keyFile: master.etcd-client.key" + compare: + op: has + value: "keyFile: master.etcd-client.key" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile + under etcdClientInfo like below. + + etcdClientInfo: +  ca: master.etcd-ca.crt + certFile: master.etcd-client.crt + keyFile: master.etcd-client.key + scored: true + + - id: 1.27 + text: "Verify that the ServiceAccount admission controller is enabled" + audit: "grep -A4 ServiceAccount /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "ServiceAccount" + set: false + - flag: "disable: false" + compare: + op: has + value: "disable: false" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount + admission control policy. + + ServiceAccount: + configuration: + kind: DefaultAdmissionConfig + apiVersion: v1 + disable: false + scored: true + + - id: 1.28 + text: "Verify the certificate and key used to encrypt API server traffic" + audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml" + tests: + bin_op: and + test_items: + - flag: "certFile: master.server.crt" + compare: + op: has + value: "certFile: master.server.crt" + set: true + - flag: "keyFile: master.server.key" + compare: + op: has + value: "keyFile: master.server.key" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo. + + servingInfo: +  bindAddress: 0.0.0.0:8443 +   bindNetwork: tcp4 + certFile: master.server.crt + clientCA: ca.crt + keyFile: master.server.key + maxRequestsInFlight: 500 + requestTimeoutSeconds: 3600 + scored: true + + - id: 1.29 + text: "Verify that the --client-ca-file argument is not set" + audit: "grep client-ca-file /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "clientCA: ca.crt" + set: false + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo. + + servingInfo: +  bindAddress: 0.0.0.0:8443 +   bindNetwork: tcp4 + certFile: master.server.crt + clientCA: ca.crt + keyFile: master.server.key + maxRequestsInFlight: 500 + requestTimeoutSeconds: 3600 + scored: true + + - id: 1.30 + text: "Verify the CA used for communication with etcd" + audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "ca: master.etcd-ca.crt" + compare: + op: has + value: "ca: master.etcd-ca.crt" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo. + + etcdClientInfo: +   ca: master.etcd-ca.crt + certFile: master.etcd-client.crt + keyFile: master.etcd-client.key + scored: true + + - id: 1.31 + text: "Verify that the authorization-mode argument is not set" + type: "skip" + scored: true + + - id: 1.32 + text: "Verify that the NodeRestriction admission controller is enabled" + audit: "grep -A4 NodeRestriction /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "NodeRestriction" + set: false + - flag: "disable: false" + compare: + op: has + value: "disable: false" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo. + + NodeRestriction: + configuration: + kind: DefaultAdmissionConfig + apiVersion: v1 + disable: false + scored: true + + - id: 1.33 + text: "Configure encryption of data at rest in etcd datastore" + audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "experimental-encryption-provider-config:" + compare: + op: has + value: "experimental-encryption-provider-config:" + set: true + remediation: | + Follow the instructions in the documentation to configure encryption. + https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html + scored: true + + - id: 1.34 + text: "Set the encryption provider to aescbc for etcd data at rest" + audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs grep -A1 providers" + tests: + test_items: + - flag: "aescbc:" + compare: + op: has + value: "aescbc:" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. + See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html. + scored: true + + - id: 1.35 + text: "Enable the EventRateLimit plugin" + audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "disable: false" + compare: + op: has + value: "disable: false" + set: true + remediation: | + Follow the documentation to enable the EventRateLimit plugin. + https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules + scored: true + + - id: 1.36 + text: "Configure advanced auditing" + audit: "grep AdvancedAuditing /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "AdvancedAuditing" + compare: + op: eq + value: "true" + set: true + - flag: "AdvancedAuditing" + set: false + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing, + + kubernetesMasterConfig: +  apiServerArguments: + feature-gates: + - AdvancedAuditing=true + scored: true + + # Review 1.1.37 in Aquasec shared doc, the tests are net zero. + - id: 1.37 + text: "Adjust the request timeout argument for your cluster resources" + audit: "grep request-timeout /etc/origin/master/master-config.yaml" + type: manual + remediation: | + change the request-timeout value in the  /etc/origin/master/master-config.yaml + scored: true + + +- id: 2 + text: "Scheduler" + checks: + - id: 2.1 + text: "Verify that Scheduler profiling is not exposed to the web" + type: "skip" + scored: true + + +- id: 3 + text: "Controller Manager" + checks: + - id: 3.1 + text: "Adjust the terminated-pod-gc-threshold argument as needed" + audit: "grep terminated-pod-gc-threshold -A1 /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "terminated-pod-gc-threshold:" + compare: + op: has + value: "12500" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold. + + kubernetesMasterConfig: +  controllerArguments: +     terminated-pod-gc-threshold: +    - true + + Enabling the "terminated-pod-gc-threshold" settings is optional. + scored: true + + - id: 3.2 + text: "Verify that Controller profiling is not exposed to the web" + type: "skip" + scored: true + + - id: 3.3 + text: "Verify that the --use-service-account-credentials argument is set to true" + audit: "grep -A2 use-service-account-credentials /etc/origin/master/master-config.yaml" + tests: + bin_op: or + test_items: + - flag: "use-service-account-credentials" + set: false + - flag: "true" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials + to true under controllerArguments section. + + kubernetesMasterConfig: +  controllerArguments: +     use-service-account-credentials: +     - true + scored: true + + # Review 3.4 + - id: 3.4 + text: "Verify that the --service-account-private-key-file argument is set as appropriate" + audit: | + grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile; + grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml + tests: + bin_op: and + test_items: + - flag: "privateKeyFile: serviceaccounts.private.key" + compare: + op: has + value: "privateKeyFile" + - flag: "service-account-private-key-file" + set: false + remediation: + Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file + scored: true + + # Review 3.5 + - id: 3.5 + text: "Verify that the --root-ca-file argument is set as appropriate" + audit: "/bin/sh -c 'grep root-ca-file /etc/origin/master/master-config.yaml; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml'" + tests: + bin_op: and + test_items: + - flag: "root-ca-file=/etc/origin/master/ca-bundle.crt" + compare: + op: has + value: "/etc/origin/master/ca-bundle.crt" + set: true + test_items: + - flag: "masterCA: ca-bundle.crt" + compare: + op: has + value: "ca-bundle.crt" + set: true + remediation: + Reset to OpenShift defaults OpenShift starts kube-controller-manager with + root-ca-file=/etc/origin/master/ca-bundle.crt by default.  OpenShift Advanced + Installation creates this certificate authority and configuration without any + configuration required. + + https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html" + scored: true + + - id: 3.6 + text: "Verify that Security Context Constraints are applied to Your Pods and Containers" + type: "skip" + scored: false + + - id: 3.7 + text: "Manage certificate rotation" + audit: "grep -B3 RotateKubeletServerCertificate=true /etc/origin/master/master-config.yaml" + tests: + test_items: + - flag: "RotateKubeletServerCertificate" + compare: + op: eq + value: "true" + set: true + remediation: + If you decide not to enable the RotateKubeletServerCertificate feature, + be sure to use the Ansible playbooks provided with the OpenShift installer to + automate re-deploying certificates. + scored: true + + +- id: 4 + text: "Configuration Files" + checks: + - id: 4.1 + text: "Verify the OpenShift default permissions for the API server pod specification file" + audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml" + tests: + test_items: + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 600 /etc/origin/node/pods/apiserver.yaml + scored: true + + - id: 4.2 + text: "Verify the OpenShift default file ownership for the API server pod specification file" + audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/node/pods/apiserver.yaml + scored: true + + - id: 4.3 + text: "Verify the OpenShift default file permissions for the controller manager pod specification file" + audit: "stat -c %a /etc/origin/node/pods/controller.yaml" + tests: + test_items: + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command on the master node. + + chmod 600 /etc/origin/node/pods/controller.yaml + scored: true + + - id: 4.4 + text: "Verify the OpenShift default ownership for the controller manager pod specification file" + audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/node/pods/controller.yaml + scored: true + + - id: 4.5 + text: "Verify the OpenShift default permissions for the scheduler pod specification file" + audit: "stat -c %a /etc/origin/node/pods/controller.yaml" + tests: + test_items: + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml + scored: true + + - id: 4.6 + text: "Verify the scheduler pod specification file ownership set by OpenShift" + audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/node/pods/controller.yaml + scored: true + + - id: 4.7 + text: "Verify the OpenShift default etcd pod specification file permissions" + audit: "stat -c %a /etc/origin/node/pods/etcd.yaml" + tests: + test_items: + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 600 /etc/origin/node/pods/etcd.yaml + scored: true + + - id: 4.8 + text: "Verify the OpenShift default etcd pod specification file ownership" + audit: "stat -c %U:%G /etc/origin/node/pods/etcd.yaml" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/node/pods/etcd.yaml + scored: true + + - id: 4.9 + text: "Verify the default OpenShift Container Network Interface file permissions" + audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 644 -R /etc/origin/openvswitch/ /etc/cni/net.d/ + scored: true + + - id: 4.10 + text: "Verify the default OpenShift Container Network Interface file ownership" + audit: "stat -c %U:%G /etc/origin/openvswitch/ /etc/cni/net.d/" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/openvswitch/ /etc/cni/net.d/ + scored: true + + - id: 4.11 + text: "Verify the default OpenShift etcd data directory permissions" + audit: "stat -c %a /var/lib/etcd" + tests: + test_items: + - flag: "700" + compare: + op: eq + value: "700" + set: true + remediation: | + On the etcd server node, get the etcd data directory, passed as an argument --data-dir , + from the below command: + ps -ef | grep etcd + Run the below command (based on the etcd data directory found above). For example, + chmod 700 /var/lib/etcd + scored: true + + - id: 4.12 + text: "Verify the default OpenShift etcd data directory ownership" + audit: "stat -c %U:%G /var/lib/etcd" + tests: + test_items: + - flag: "etcd:etcd" + compare: + op: eq + value: "etcd:etcd" + set: true + remediation: | + Run the below command on the master node. + + chown etcd:etcd /var/lib/etcd + scored: true + + - id: 4.13 + text: "Verify the default OpenShift admin.conf file permissions" + audit: "stat -c %a /etc/origin/master/admin.kubeconfig" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 644 /etc/origin/master/admin.kubeconfig" + scored: true + + - id: 4.14 + text: "Verify the default OpenShift admin.conf file ownership" + audit: "stat -c %U:%G /etc/origin/master/admin.kubeconfig" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/master/admin.kubeconfig + scored: true + + - id: 4.15 + text: "Verify the default OpenShift scheduler.conf file permissions" + audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 644 /etc/origin/master/openshift-master.kubeconfig + scored: true + + - id: 4.16 + text: "Verify the default OpenShift scheduler.conf file ownership" + audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/master/openshift-master.kubeconfig + scored: true + + - id: 4.17 + text: "Verify the default Openshift controller-manager.conf file permissions" + audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command. + + chmod 644 /etc/origin/master/openshift-master.kubeconfig + scored: true + + - id: 4.18 + text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" + audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: "root:root" + set: true + remediation: | + Run the below command on the master node. + + chown root:root /etc/origin/master/openshift-master.kubeconfig + scored: true + + +- id: 5 + text: "Etcd" + checks: + - id: 5.1 + text: "Verify the default OpenShift cert-file and key-file configuration" + audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CERT_FILE=/etc/etcd/server.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep etcd_key_file=/etc/etcd/server.key /proc/1/environ; grep ETCD_CERT_FILE=/etc/etcd/server.crt /etc/etcd/etcd.conf; grep ETCD_KEY_FILE=/etc/etcd/server.key /etc/etcd/etcd.conf'" + tests: + bin_op: and + test_items: + - : "Binary file /proc/1/environ matches" + compare: + op: has + value: "Binary file /proc/1/environ matches" + set: true + - flag: "ETCD_CERT_FILE=/etc/etcd/server.crt" + compare: + op: has + value: "ETCD_CERT_FILE=/etc/etcd/server.crt" + set: true + - flag: "ETCD_KEY_FILE=/etc/etcd/server.key" + compare: + op: has + value: "ETCD_KEY_FILE=/etc/etcd/server.key" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.2 + text: "Verify the default OpenShift setting for the client-cert-auth argument" + audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" + tests: + bin_op: and + test_items: + - flag: "Binary file /proc/1/environ matches" + compare: + op: has + value: "Binary file /proc/1/environ matches" + set: true + - flag: "ETCD_CLIENT_CERT_AUTH=true" + compare: + op: has + value: "ETCD_CLIENT_CERT_AUTH=true" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.3 + text: "Verify the OpenShift default values for etcd_auto_tls" + audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_AUTO_TLS /proc/1/environ; grep ETCD_AUTO_TLS /etc/etcd/etcd.conf'" + tests: + bin_op: or + test_items: + - flag: "ETCD_AUTO_TLS=false" + compare: + op: has + value: "ETCD_AUTO_TLS=false" + set: true + - flag: "#ETCD_AUTO_TLS" + compare: + op: has + value: "#ETCD_AUTO_TLS" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.4 + text: "Verify the OpenShift default peer-cert-file and peer-key-file arguments for etcd" + audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'" + tests: + bin_op: and + test_items: + - flag: "Binary file /proc/1/environ matches" + compare: + op: has + value: "Binary file /proc/1/environ matches" + set: true + - flag: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt" + compare: + op: has + value: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt" + set: true + - flag: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key" + compare: + op: has + value: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.5 + text: "Verify the OpenShift default configuration for the peer-client-cert-auth" + audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_PEER_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" + tests: + bin_op: and + test_items: + - flag: "Binary file /proc/1/environ matches" + compare: + op: has + value: "Binary file /proc/1/environ matches" + set: true + - flag: "ETCD_PEER_CLIENT_CERT_AUTH=true" + compare: + op: has + value: "ETCD_PEER_CLIENT_CERT_AUTH=true" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.6 + text: "Verify the OpenShift default configuration for the peer-auto-tls argument" + audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'" + tests: + bin_op: and + test_items: + - flag: "Binary file /proc/1/environ matches" + compare: + op: has + value: "Binary file /proc/1/environ matches" + set: true + - flag: "#ETCD_PEER_AUTO_TLS=false" + compare: + op: has + value: "#ETCD_PEER_AUTO_TLS=false" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: true + + - id: 5.7 + text: "Optionally modify the wal-dir argument" + type: "skip" + scored: true + + - id: 5.8 + text: "Optionally modify the max-wals argument" + type: "skip" + scored: true + + - id: 5.9 + text: "Verify the OpenShift default configuration for the etcd Certificate Authority" + audit: "openssl x509 -in /etc/origin/master/master.etcd-ca.crt -subject -issuer -noout | sed 's/@/ /'" + tests: + test_items: + - flag: "issuer= /CN=etcd-signer" + compare: + op: has + value: "issuer= /CN=etcd-signer" + set: true + remediation: | + Reset to the OpenShift default configuration. + scored: false + + +- id: 6 + text: "General Security Primitives" + checks: + - id: 6.1 + text: "Ensure that the cluster-admin role is only used where required" + type: "manual" + remediation: | + Review users, groups, serviceaccounts bound to cluster-admin: + oc get clusterrolebindings | grep cluster-admin + + Review users and groups bound to cluster-admin and decide whether they require + such access. Consider creating least-privilege roles for users and service accounts + scored: false + + - id: 6.2 + text: "Verify Security Context Constraints as in use" + type: "manual" + remediation: | + Review Security Context Constraints: + oc get scc + + Use OpenShift's Security Context Constraint feature, which has been contributed + to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. + OpenShift ships with two SCCs: restricted and privileged. + + The two default SCCs will be created when the master is started. The restricted + SCC is granted to all authenticated users by default. + + https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html" + scored: false + + - id: 6.3 + text: "Use OpenShift projects to maintain boundaries between resources" + type: "manual" + remediation: | + Review projects: + oc get projects + scored: false + + - id: 6.4 + text: "Create network segmentation using the Multi-tenant plugin or Network Policies" + type: "manual" + remediation: | + Verify on masters the plugin being used: + grep networkPluginName /etc/origin/master/master-config.yaml + + OpenShift provides multi-tenant networking isolation (using Open vSwich and + vXLAN), to segregate network traffic between containers belonging to different + tenants (users or applications) while running on a shared cluster. Red Hat also + works with 3rd-party SDN vendors to provide the same level of capabilities + integrated with OpenShift. OpenShift SDN is included a part of OpenShift + subscription. + + OpenShift supports Kubernetes NetworkPolicy. Administrator must configure + NetworkPolicies if desired. + + https://docs.openshift.com/container-platform/3.10/architecture/networking/sdn.html#architecture-additional-concepts-sdn + + Ansible Inventory variable: os_sdn_network_plugin_name: + https://docs.openshift.com/container-platform/3.10/install/configuring_inventory_file.html + scored: false + + - id: 6.5 + text: "Enable seccomp and configure custom Security Context Constraints" + type: "manual" + remediation: | + Verify SCCs that have been configured with seccomp: + oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles + + OpenShift does not enable seccomp by default. To configure seccomp profiles that + are applied to pods run by the SCC, follow the instructions in the + documentation: + + https://docs.openshift.com/container-platform/3.9/admin_guide/seccomp.html#admin-guide-seccomp + scored: false + + - id: 6.6 + text: "Review Security Context Constraints" + type: "manual" + remediation: | + Review SCCs: + oc describe scc + + Use OpenShift's Security Context Constraint feature, which has been contributed + to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. + + OpenShift ships with two SCCs: restricted and privileged. The two default SCCs + will be created when the master is started. The restricted SCC is granted to + all authenticated users by default. + + All pods are run under the restricted SCC by default. Running a pod under any + other SCC requires an account with cluster admin capabilities to grant access + for the service account. + + SecurityContextConstraints limit what securityContext is applied to pods and + containers. + + https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html + scored: false + + - id: 6.7 + text: "Manage Image Provenance using ImagePolicyWebhook admission controller" + type: "manual" + remediation: | + Review imagePolicyConfig in /etc/origin/master/master-config.yaml. + scored: false + + - id: 6.8 + text: "Configure Network policies as appropriate" + type: "manual" + remediation: | + If ovs-networkplugin is used, review network policies: + oc get networkpolicies + + OpenShift supports Kubernetes NetworkPolicy via ovs-networkpolicy plugin. + If choosing ovs-multitenant plugin, each namespace is isolated in its own + netnamespace by default. + scored: false + + - id: 6.9 + text: "Use Security Context Constraints as compensating controls for privileged containers" + type: "manual" + remediation: | + 1) Determine all sccs allowing privileged containers: + oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer + 2) Review users and groups assigned to sccs allowing priviliged containers: + oc describe sccs + + Use OpenShift's Security Context Constraint feature, which has been contributed + to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. + + OpenShift ships with two SCCs: restricted and privileged. The two default SCCs + will be created when the master is started. The restricted SCC is granted to all + authenticated users by default. + + Similar scenarios are documented in the SCC + documentation, which outlines granting SCC access to specific serviceaccounts. + Administrators may create least-restrictive SCCs based on individual container + needs. + + For example, if a container only requires running as the root user, the anyuid + SCC can be used, which will not expose additional access granted by running + privileged containers. + + https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html + scored: false diff --git a/cfg/ocp-3.10/node.yaml b/cfg/ocp-3.10/node.yaml index c537cf4..1fbe549 100644 --- a/cfg/ocp-3.10/node.yaml +++ b/cfg/ocp-3.10/node.yaml @@ -1,376 +1,376 @@ ---- -controls: -id: 2 -text: "Worker Node Security Configuration" -type: "node" -groups: -- id: 2.1 - text: "Kubelet" - checks: - - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" - type: "skip" - scored: true - - - id: 2.1.2 - text: "Ensure that the --anonymous-auth argument is set to false (Scored)" - type: "skip" - scored: true - - - id: 2.1.3 - text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" - audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "authorization-mode" - set: false - - flag: "authorization-mode: Webhook" - compare: - op: has - value: "Webhook" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under - kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". - scored: true - - - id: 2.1.4 - text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" - audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" - tests: - test_items: - - flag: "client-ca-file" - set: false - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: - grep -A1 client-ca-file /etc/origin/node/node-config.yaml - - Reset to the OpenShift default. - See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 - The config file does not have this defined in kubeletArgument, but in PodManifestConfig. - scored: true - - - id: 2.1.5 - text: "Ensure that the --read-only-port argument is set to 0 (Scored)" - audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "read-only-port" - set: false - - flag: "read-only-port: 0" - compare: - op: has - value: "0" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. - scored: true - - - id: 2.1.6 - text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" - audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "streaming-connection-idle-timeout" - set: false - - flag: "0" - set: false - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout - value like the following in node-config.yaml. - - kubeletArguments: -  streaming-connection-idle-timeout: -    - "5m" - scored: true - - - id: 2.1.7 - text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" - type: "skip" - scored: true - - - id: 2.1.8 - text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" - audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "make-iptables-util-chains" - set: false - - flag: "make-iptables-util-chains: true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift - default value of true. - scored: true - - id: 2.1.9 - text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)" - audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" - tests: - test_items: - - flag: "keep-terminated-pod-volumes: false" - compare: - op: has - value: "false" - set: true - remediation: | - Reset to the OpenShift defaults - scored: true - - - id: 2.1.10 - text: "Ensure that the --hostname-override argument is not set (Scored)" - type: "skip" - scored: true - - - id: 2.1.11 - text: "Ensure that the --event-qps argument is set to 0 (Scored)" - audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "event-qps" - set: false - - flag: "event-qps: 0" - compare: - op: has - value: "0" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in - the kubeletArguments section of. - scored: true - - - id: 2.1.12 - text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" - audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" - tests: - test_items: - - flag: "/etc/origin/node/certificates" - compare: - op: has - value: "/etc/origin/node/certificates" - set: true - remediation: | - Reset to the OpenShift default values. - scored: true - - - id: 2.1.13 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" - audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" - tests: - bin_op: or - test_items: - - flag: "cadvisor-port" - set: false - - flag: "cadvisor-port: 0" - compare: - op: has - value: "0" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag - if it is set in the kubeletArguments section. - scored: true - - - id: 2.1.14 - text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)" - audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" - tests: - test_items: - - flag: "RotateKubeletClientCertificate=true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. - scored: true - - - id: 2.1.15 - text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" - audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" - test: - test_items: - - flag: "RotateKubeletServerCertificate=true" - compare: - op: has - value: "true" - set: true - remediation: | - Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. - scored: true - - -- id: 2.2 - text: "Configuration Files" - checks: - - id: 2.2.1 - text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/node.kubeconfig" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command on each worker node. - chmod 644 /etc/origin/node/node.kubeconfig - scored: true - - - id: 2.2.2 - text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: root:root - set: true - remediation: | - Run the below command on each worker node. - chown root:root /etc/origin/node/node.kubeconfig - scored: true - - - id: 2.2.3 - text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command on each worker node. - chmod 644 /etc/systemd/system/atomic-openshift-node.service - scored: true - - - id: 2.2.4 - text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: root:root - set: true - remediation: | - Run the below command on each worker node. - chown root:root /etc/systemd/system/atomic-openshift-node.service - scored: true - - - id: 2.2.5 - text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/node.kubeconfig" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command on each worker node. - chmod 644 /etc/origin/node/node.kubeconfig - scored: true - - - id: 2.2.6 - text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: root:root - set: true - remediation: | - Run the below command on each worker node. - chown root:root /etc/origin/node/node.kubeconfig - scored: true - - - id: 2.2.7 - text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/origin/node/client-ca.crt" - tests: - bin_op: or - test_items: - - flag: "644" - compare: - op: eq - value: "644" - set: true - - flag: "640" - compare: - op: eq - value: "640" - set: true - - flag: "600" - compare: - op: eq - value: "600" - set: true - remediation: | - Run the below command on each worker node. - chmod 644 /etc/origin/node/client-ca.crt - scored: true - - - id: 2.2.8 - text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" - audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" - tests: - test_items: - - flag: "root:root" - compare: - op: eq - value: root:root - set: true - remediation: | - Run the below command on each worker node. - chown root:root /etc/origin/node/client-ca.crt - scored: true +--- +controls: +id: 2 +text: "Worker Node Security Configuration" +type: "node" +groups: +- id: 7 + text: "Kubelet" + checks: + - id: 7.1 + text: "Use Security Context Constraints to manage privileged containers as needed" + type: "skip" + scored: true + + - id: 7.2 + text: "Ensure anonymous-auth is not disabled" + type: "skip" + scored: true + + - id: 7.3 + text: "Verify that the --authorization-mode argument is set to WebHook)" + audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "authorization-mode" + set: false + - flag: "authorization-mode: Webhook" + compare: + op: has + value: "Webhook" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under + kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". + scored: true + + - id: 7.4 + text: "Verify the OpenShift default for the client-ca-file argument" + audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" + tests: + test_items: + - flag: "client-ca-file" + set: false + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: + grep -A1 client-ca-file /etc/origin/node/node-config.yaml + + Reset to the OpenShift default. + See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 + The config file does not have this defined in kubeletArgument, but in PodManifestConfig. + scored: true + + - id: 7.5 + text: "Verify the OpenShift default setting for the read-only-port argumen" + audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "read-only-port" + set: false + - flag: "read-only-port: 0" + compare: + op: has + value: "0" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. + scored: true + + - id: 7.6 + text: "Adjust the streaming-connection-idle-timeout argument" + audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "streaming-connection-idle-timeout" + set: false + - flag: "5m" + set: false + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout + value like the following in node-config.yaml. + + kubeletArguments: +  streaming-connection-idle-timeout: +    - "5m" + scored: true + + - id: 7.7 + text: "Verify the OpenShift defaults for the protect-kernel-defaults argument" + type: "skip" + scored: true + + - id: 7.8 + text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument" + audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "make-iptables-util-chains" + set: false + - flag: "make-iptables-util-chains: true" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift + default value of true. + scored: true + + - id: 7.9 + text: "Verify that the --keep-terminated-pod-volumes argument is set to false" + audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" + tests: + test_items: + - flag: "keep-terminated-pod-volumes: false" + compare: + op: has + value: "false" + set: true + remediation: | + Reset to the OpenShift defaults + scored: true + + - id: 7.10 + text: "Verify the OpenShift defaults for the hostname-override argument" + type: "skip" + scored: true + + - id: 7.11 + text: "Set the --event-qps argument to 0" + audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "event-qps" + set: false + - flag: "event-qps: 0" + compare: + op: has + value: "0" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in + the kubeletArguments section of. + scored: true + + - id: 7.12 + text: "Verify the OpenShift cert-dir flag for HTTPS traffic" + audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" + tests: + test_items: + - flag: "/etc/origin/node/certificates" + compare: + op: has + value: "/etc/origin/node/certificates" + set: true + remediation: | + Reset to the OpenShift default values. + scored: true + + - id: 7.13 + text: "Verify the OpenShift default of 0 for the cadvisor-port argument" + audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" + tests: + bin_op: or + test_items: + - flag: "cadvisor-port" + set: false + - flag: "cadvisor-port: 0" + compare: + op: has + value: "0" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag + if it is set in the kubeletArguments section. + scored: true + + - id: 7.14 + text: "Verify that the RotateKubeletClientCertificate argument is set to true" + audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" + tests: + test_items: + - flag: "RotateKubeletClientCertificate=true" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. + scored: true + + - id: 7.15 + text: "Verify that the RotateKubeletServerCertificate argument is set to true" + audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" + test: + test_items: + - flag: "RotateKubeletServerCertificate=true" + compare: + op: has + value: "true" + set: true + remediation: | + Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. + scored: true + + +- id: 8 + text: "Configuration Files" + checks: + - id: 8.1 + text: "Verify the OpenShift default permissions for the kubelet.conf file" + audit: "stat -c %a /etc/origin/node/node.kubeconfig" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command on each worker node. + chmod 644 /etc/origin/node/node.kubeconfig + scored: true + + - id: 8.2 + text: "Verify the kubeconfig file ownership of root:root" + audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: | + Run the below command on each worker node. + chown root:root /etc/origin/node/node.kubeconfig + scored: true + + - id: 8.3 + text: "Verify the kubelet service file permissions of 644" + audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command on each worker node. + chmod 644 /etc/systemd/system/atomic-openshift-node.service + scored: true + + - id: 8.4 + text: "Verify the kubelet service file ownership of root:root" + audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: | + Run the below command on each worker node. + chown root:root /etc/systemd/system/atomic-openshift-node.service + scored: true + + - id: 8.5 + text: "Verify the OpenShift default permissions for the proxy kubeconfig file" + audit: "stat -c %a /etc/origin/node/node.kubeconfig" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command on each worker node. + chmod 644 /etc/origin/node/node.kubeconfig + scored: true + + - id: 8.6 + text: "Verify the proxy kubeconfig file ownership of root:root" + audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: | + Run the below command on each worker node. + chown root:root /etc/origin/node/node.kubeconfig + scored: true + + - id: 8.7 + text: "Verify the OpenShift default permissions for the certificate authorities file." + audit: "stat -c %a /etc/origin/node/client-ca.crt" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true + remediation: | + Run the below command on each worker node. + chmod 644 /etc/origin/node/client-ca.crt + scored: true + + - id: 8.8 + text: "Verify the client certificate authorities file ownership of root:root" + audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" + tests: + test_items: + - flag: "root:root" + compare: + op: eq + value: root:root + set: true + remediation: | + Run the below command on each worker node. + chown root:root /etc/origin/node/client-ca.crt + scored: true From d05d71553fc0631a1624944dc0d24005f1f26709 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 23 Apr 2019 10:57:15 +0100 Subject: [PATCH 2/4] Tiny typo --- cfg/ocp-3.10/node.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/ocp-3.10/node.yaml b/cfg/ocp-3.10/node.yaml index 1fbe549..7b62b08 100644 --- a/cfg/ocp-3.10/node.yaml +++ b/cfg/ocp-3.10/node.yaml @@ -52,7 +52,7 @@ groups: scored: true - id: 7.5 - text: "Verify the OpenShift default setting for the read-only-port argumen" + text: "Verify the OpenShift default setting for the read-only-port argument" audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" tests: bin_op: or From b4419e810f133dd168eb5d429daa2b54f867dfd9 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 23 Apr 2019 11:01:38 +0100 Subject: [PATCH 3/4] Tiny typo --- cfg/ocp-3.10/node.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/ocp-3.10/node.yaml b/cfg/ocp-3.10/node.yaml index 7b62b08..fc27642 100644 --- a/cfg/ocp-3.10/node.yaml +++ b/cfg/ocp-3.10/node.yaml @@ -18,7 +18,7 @@ groups: scored: true - id: 7.3 - text: "Verify that the --authorization-mode argument is set to WebHook)" + text: "Verify that the --authorization-mode argument is set to WebHook" audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" tests: bin_op: or From 7e8dfbc6eaf6018f19e55a8be6d48c8038b2b00d Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Tue, 23 Apr 2019 11:41:48 +0100 Subject: [PATCH 4/4] Fix invalid YAML --- cfg/ocp-3.10/master.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/ocp-3.10/master.yaml b/cfg/ocp-3.10/master.yaml index 4c44044..ed35fcd 100644 --- a/cfg/ocp-3.10/master.yaml +++ b/cfg/ocp-3.10/master.yaml @@ -1157,7 +1157,7 @@ groups: tests: bin_op: and test_items: - - : "Binary file /proc/1/environ matches" + - flag: "Binary file /proc/1/environ matches" compare: op: has value: "Binary file /proc/1/environ matches"