1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-24 07:28:06 +00:00

Merge branch 'master' into json-config

This commit is contained in:
Liz Rice 2019-04-23 13:51:30 +02:00 committed by GitHub
commit 91c6ef2155
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1830 additions and 1876 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,376 +1,376 @@
--- ---
controls: controls:
id: 2 id: 2
text: "Worker Node Security Configuration" text: "Worker Node Security Configuration"
type: "node" type: "node"
groups: groups:
- id: 2.1 - id: 7
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 2.1.1 - id: 7.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Use Security Context Constraints to manage privileged containers as needed"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.2 - id: 7.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure anonymous-auth is not disabled"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.3 - id: 7.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Verify that the --authorization-mode argument is set to WebHook"
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "authorization-mode" - flag: "authorization-mode"
set: false set: false
- flag: "authorization-mode: Webhook" - flag: "authorization-mode: Webhook"
compare: compare:
op: has op: has
value: "Webhook" value: "Webhook"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
scored: true scored: true
- id: 2.1.4 - id: 7.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Verify the OpenShift default for the client-ca-file argument"
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "client-ca-file" - flag: "client-ca-file"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
grep -A1 client-ca-file /etc/origin/node/node-config.yaml grep -A1 client-ca-file /etc/origin/node/node-config.yaml
Reset to the OpenShift default. Reset to the OpenShift default.
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
The config file does not have this defined in kubeletArgument, but in PodManifestConfig. The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
scored: true scored: true
- id: 2.1.5 - id: 7.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Verify the OpenShift default setting for the read-only-port argument"
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "read-only-port" - flag: "read-only-port"
set: false set: false
- flag: "read-only-port: 0" - flag: "read-only-port: 0"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true scored: true
- id: 2.1.6 - id: 7.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Adjust the streaming-connection-idle-timeout argument"
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "streaming-connection-idle-timeout" - flag: "streaming-connection-idle-timeout"
set: false set: false
- flag: "0" - flag: "5m"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
value like the following in node-config.yaml. value like the following in node-config.yaml.
kubeletArguments: kubeletArguments:
 streaming-connection-idle-timeout:  streaming-connection-idle-timeout:
   - "5m"    - "5m"
scored: true scored: true
- id: 2.1.7 - id: 7.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.8 - id: 7.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "make-iptables-util-chains" - flag: "make-iptables-util-chains"
set: false set: false
- flag: "make-iptables-util-chains: true" - flag: "make-iptables-util-chains: true"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
default value of true. default value of true.
scored: true scored: true
id: 2.1.9 - id: 7.9
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)" text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "keep-terminated-pod-volumes: false" - flag: "keep-terminated-pod-volumes: false"
compare: compare:
op: has op: has
value: "false" value: "false"
set: true set: true
remediation: | remediation: |
Reset to the OpenShift defaults Reset to the OpenShift defaults
scored: true scored: true
- id: 2.1.10 - id: 7.10
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Verify the OpenShift defaults for the hostname-override argument"
type: "skip" type: "skip"
scored: true scored: true
- id: 2.1.11 - id: 7.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Set the --event-qps argument to 0"
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "event-qps" - flag: "event-qps"
set: false set: false
- flag: "event-qps: 0" - flag: "event-qps: 0"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
the kubeletArguments section of. the kubeletArguments section of.
scored: true scored: true
- id: 2.1.12 - id: 7.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "/etc/origin/node/certificates" - flag: "/etc/origin/node/certificates"
compare: compare:
op: has op: has
value: "/etc/origin/node/certificates" value: "/etc/origin/node/certificates"
set: true set: true
remediation: | remediation: |
Reset to the OpenShift default values. Reset to the OpenShift default values.
scored: true scored: true
- id: 2.1.13 - id: 7.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "cadvisor-port" - flag: "cadvisor-port"
set: false set: false
- flag: "cadvisor-port: 0" - flag: "cadvisor-port: 0"
compare: compare:
op: has op: has
value: "0" value: "0"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
if it is set in the kubeletArguments section. if it is set in the kubeletArguments section.
scored: true scored: true
- id: 2.1.14 - id: 7.14
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)" text: "Verify that the RotateKubeletClientCertificate argument is set to true"
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletClientCertificate=true" - flag: "RotateKubeletClientCertificate=true"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true scored: true
- id: 2.1.15 - id: 7.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Verify that the RotateKubeletServerCertificate argument is set to true"
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
test: test:
test_items: test_items:
- flag: "RotateKubeletServerCertificate=true" - flag: "RotateKubeletServerCertificate=true"
compare: compare:
op: has op: has
value: "true" value: "true"
set: true set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
scored: true scored: true
- id: 2.2 - id: 8
text: "Configuration Files" text: "Configuration Files"
checks: checks:
- id: 2.2.1 - id: 8.1
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the kubelet.conf file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.2 - id: 8.2
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" text: "Verify the kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.3 - id: 8.3
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" text: "Verify the kubelet service file permissions of 644"
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/systemd/system/atomic-openshift-node.service chmod 644 /etc/systemd/system/atomic-openshift-node.service
scored: true scored: true
- id: 2.2.4 - id: 8.4
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/systemd/system/atomic-openshift-node.service chown root:root /etc/systemd/system/atomic-openshift-node.service
scored: true scored: true
- id: 2.2.5 - id: 8.5
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
audit: "stat -c %a /etc/origin/node/node.kubeconfig" audit: "stat -c %a /etc/origin/node/node.kubeconfig"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.6 - id: 8.6
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" text: "Verify the proxy kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
scored: true scored: true
- id: 2.2.7 - id: 8.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" text: "Verify the OpenShift default permissions for the certificate authorities file."
audit: "stat -c %a /etc/origin/node/client-ca.crt" audit: "stat -c %a /etc/origin/node/client-ca.crt"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640" - flag: "640"
compare: compare:
op: eq op: eq
value: "640" value: "640"
set: true set: true
- flag: "600" - flag: "600"
compare: compare:
op: eq op: eq
value: "600" value: "600"
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt chmod 644 /etc/origin/node/client-ca.crt
scored: true scored: true
- id: 2.2.8 - id: 8.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Verify the client certificate authorities file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare: compare:
op: eq op: eq
value: root:root value: root:root
set: true set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/client-ca.crt chown root:root /etc/origin/node/client-ca.crt
scored: true scored: true