From 9c6d4de8603e75159fe65fd499f0698824b2149b Mon Sep 17 00:00:00 2001 From: Roberto Rojas Date: Wed, 27 Nov 2019 10:30:29 -0500 Subject: [PATCH] Issue #421: Merges PR #422 with master (#523) * Add kubeconfig location of kube-proxy for AKS * Add job for AKS node * Automate ca file permission check * removed job-aks.yaml as other PRs added needed features * fixed integration test due to merge changes --- cfg/cis-1.4/master.yaml | 6 +++--- cfg/cis-1.4/node.yaml | 21 +++++++++++++++++++-- cfg/config.yaml | 3 ++- integration/testdata/job-master.data | 6 +++--- integration/testdata/job-node.data | 9 +++------ integration/testdata/job.data | 15 ++++++--------- 6 files changed, 36 insertions(+), 24 deletions(-) diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml index ba36854..dd3389d 100644 --- a/cfg/cis-1.4/master.yaml +++ b/cfg/cis-1.4/master.yaml @@ -1215,7 +1215,7 @@ groups: set: true remediation: | [Manual test] - Run the below command (based on the file location on your system) on the master node. + Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/pki/ scored: true @@ -1243,7 +1243,7 @@ groups: set: true remediation: | [Manual test] - Run the below command (based on the file location on your system) on the master node. + Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt scored: true @@ -1260,7 +1260,7 @@ groups: set: true remediation: | [Manual test] - Run the below command (based on the file location on your system) on the master node. + Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key scored: true diff --git a/cfg/cis-1.4/node.yaml b/cfg/cis-1.4/node.yaml index ae581a4..af3842d 100644 --- a/cfg/cis-1.4/node.yaml +++ b/cfg/cis-1.4/node.yaml @@ -464,8 +464,25 @@ groups: - id: 2.2.7 text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) - type: manual - tests: {} + audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'" + tests: + bin_op: or + test_items: + - flag: "644" + compare: + op: eq + value: "644" + set: true + - flag: "640" + compare: + op: eq + value: "640" + set: true + - flag: "600" + compare: + op: eq + value: "600" + set: true remediation: | Run the following command to modify the file permissions of the --client-ca-file chmod 644 diff --git a/cfg/config.yaml b/cfg/config.yaml index 7bd7d92..a89dcc1 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -135,7 +135,8 @@ node: - /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /var/snap/kube-proxy/current/args kubeconfig: - - /etc/kubernetes/kubelet-kubeconfig + - "/etc/kubernetes/kubelet-kubeconfig" + - "/var/lib/kubelet/kubeconfig" svc: - "/lib/systemd/system/kube-proxy.service" defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml diff --git a/integration/testdata/job-master.data b/integration/testdata/job-master.data index 1209fad..24939bd 100644 --- a/integration/testdata/job-master.data +++ b/integration/testdata/job-master.data @@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl chown etcd:etcd /var/lib/etcd 1.4.19 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/pki/ 1.4.20 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt 1.4.21 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key 1.5.1 Follow the etcd service documentation and configure TLS encryption. diff --git a/integration/testdata/job-node.data b/integration/testdata/job-node.data index fb449ac..46077a6 100644 --- a/integration/testdata/job-node.data +++ b/integration/testdata/job-node.data @@ -21,7 +21,7 @@ [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored) [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) -[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) +[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) @@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf node. For example, chown root:root /etc/kubernetes/proxy.conf -2.2.7 Run the following command to modify the file permissions of the --client-ca-file -chmod 644 - == Summary == -15 checks PASS +16 checks PASS 7 checks FAIL -1 checks WARN +0 checks WARN 1 checks INFO \ No newline at end of file diff --git a/integration/testdata/job.data b/integration/testdata/job.data index a1bb8cc..df7eea8 100644 --- a/integration/testdata/job.data +++ b/integration/testdata/job.data @@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl chown etcd:etcd /var/lib/etcd 1.4.19 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/pki/ 1.4.20 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/pki/*.crt 1.4.21 [Manual test] -Run the below command (based on the file location on your system) on the master node. +Run the below command (based on the file location on your system) on the master node. For example, chmod -R 600 /etc/kubernetes/pki/*.key 1.5.1 Follow the etcd service documentation and configure TLS encryption. @@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored) [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) -[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) +[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) @@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf node. For example, chown root:root /etc/kubernetes/proxy.conf -2.2.7 Run the following command to modify the file permissions of the --client-ca-file -chmod 644 - == Summary == -15 checks PASS +16 checks PASS 7 checks FAIL -1 checks WARN +0 checks WARN 1 checks INFO \ No newline at end of file