mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-18 12:48:08 +00:00
* removed version prior to 1.11 * removed references to kubernetes versions prior to 1.11
This commit is contained in:
parent
3aa41db166
commit
a6ee61fd08
@ -18,13 +18,10 @@ Tests are configured with YAML files, making this tool easy to update as test sp
|
||||
|
||||
## CIS Kubernetes Benchmark support
|
||||
|
||||
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.
|
||||
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.3.0 to 1.4.0 respectively.
|
||||
|
||||
| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
|
||||
|---|---|---|
|
||||
| 1.0.0| 1.6 | 1.6 |
|
||||
| 1.1.0| 1.7 | 1.7 |
|
||||
| 1.2.0| 1.8 | 1.8-1.10 |
|
||||
| 1.3.0| 1.11 | 1.11-1.12 |
|
||||
| 1.4.1| 1.13 | 1.13- |
|
||||
|
||||
|
@ -1,285 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
id: 3
|
||||
text: "Federated Deployments"
|
||||
type: "federated"
|
||||
groups:
|
||||
- id: 3.1
|
||||
text: "Federation API Server"
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --anonymous-auth=false.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the deployment specs and remove \"--basic-auth-file=<filename>\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and remove --insecure-bind-address.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.5
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --insecure-port=0.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.6
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--secure-port"
|
||||
compare:
|
||||
op: gt
|
||||
value: 0
|
||||
set: true
|
||||
- flag: "--secure-port"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.7
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--profiling=false\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
score: true
|
||||
|
||||
- id: 3.1.8
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAdmit
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --admission-control argument to a value that does
|
||||
not include AlwaysAdmit.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.9
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.10
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.11
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
compare:
|
||||
op: gte
|
||||
value: 30
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.12
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
compare:
|
||||
op: gte
|
||||
value: 10
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.13
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
compare:
|
||||
op: gte
|
||||
value: 100
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.14
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.15
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the deployment specs and remove the --token-auth-file=<filename> argument.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.16
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.17
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.18
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--etcd-certfile"
|
||||
set: true
|
||||
- flag: "--etcd-keyfile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the
|
||||
federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd-
|
||||
certfile=<path/to/client-certificate-file>\" and \"--etcd-
|
||||
keyfile=<path/to/client-key-file>\" arguments.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.19
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation
|
||||
apiserver. Then, edit the deployment specs and set \"--tls-cert-file=<path/to/tls-
|
||||
certificate-file>\" and \"--tls-private-key-file=<path/to/tls-key-file>\" :
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.2
|
||||
text: "Federation Controller Manager"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--profiling=false\".\n
|
||||
kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system"
|
||||
scored: true
|
@ -1,981 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
id: 1
|
||||
text: "Master Node Security Configuration"
|
||||
type: "master"
|
||||
groups:
|
||||
- id: 1.1
|
||||
text: "API Server"
|
||||
checks:
|
||||
- id: 1.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "allow-privileged"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set
|
||||
the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set
|
||||
the KUBE_API_ARGS parameter to \"--anonymous-auth=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.3
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for
|
||||
authentication. Then, edit the $apiserverconf file on the master
|
||||
node and remove the \"--basic-auth-file=<filename>\" argument from the
|
||||
KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.4
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
set: false
|
||||
remediation: "Edit the $apiserverconf file on the master node and remove
|
||||
the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.5
|
||||
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--kubelet-https"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
- flag: "--kubelet-https"
|
||||
set: false
|
||||
remediation: "Edit the $apiserverconf file on the master node and remove
|
||||
the --kubelet-https argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.6
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
set: false
|
||||
remediation: "Edit the $apiserverconf file on the master node and remove
|
||||
the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.7
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set
|
||||
--insecure-port=0 in the KUBE_API_PORT parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.8
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--secure-port"
|
||||
compare:
|
||||
op: gt
|
||||
value: 0
|
||||
set: true
|
||||
- flag: "--secure-port"
|
||||
set: false
|
||||
remediation: "Edit the $apiserverconf file on the master node and either
|
||||
remove the --secure-port argument from the KUBE_API_ARGS parameter or set
|
||||
it to a different desired port."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.9
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.10
|
||||
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--repair-malformed-updates"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.11
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAdmit
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit"
|
||||
scored: true
|
||||
|
||||
- id: 1.1.12
|
||||
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "AlwaysPullImages"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.13
|
||||
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "DenyEscalatingExec"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.14
|
||||
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "SecurityContextDeny"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.15
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.16
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-path=<filename>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.17
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
compare:
|
||||
op: gte
|
||||
value: 30
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxage=30\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.18
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
compare:
|
||||
op: gte
|
||||
value: 10
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.19
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
compare:
|
||||
op: gte
|
||||
value: 100
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.20
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.21
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the $apiserverconf file on the master node and remove the
|
||||
\"--tokenauth-file=<filename>\" argument from the KUBE_API_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.1.22
|
||||
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--kubelet-certificate-authority"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
||||
the apiserver and kubelets. Then, edit the $apiserverconf file on the
|
||||
master node and set the KUBE_API_ARGS parameter to
|
||||
\"--kubelet-certificate-authority=<ca-string>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.23
|
||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--kubelet-client-certificate"
|
||||
set: true
|
||||
- flag: "--kubelet-client-key"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and kubelets. Then, edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=<path/to/client-certificate-file>\"
|
||||
and \"--kubelet-clientkey=<path/to/client-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.24
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter
|
||||
to \"--service-account-lookup=true\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.25
|
||||
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "PodSecurityPolicy"
|
||||
set: true
|
||||
remediation: "Follow the documentation and create Pod Security Policy objects as per your environment.
|
||||
Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL
|
||||
parameter to \"--admission-control=...,PodSecurityPolicy,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.26
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
set: true
|
||||
remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to \"--service-account-key-file=<filename>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.27
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--etcd-certfile"
|
||||
set: true
|
||||
- flag: "--etcd-keyfile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and etcd. Then, edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--etcd-certfile=<path/to/clientcertificate-file>\"
|
||||
and \"--etcd-keyfile=<path/to/client-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.28
|
||||
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "ServiceAccount"
|
||||
set: true
|
||||
remediation: "Follow the documentation and create ServiceAccount objects as per your environment.
|
||||
Then, edit the $apiserverconf file on the master node and set the
|
||||
KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.29
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
||||
Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to
|
||||
include \"--tls-cert-file=<path/to/tls-certificatefile>\" and
|
||||
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.30
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
|
||||
Then, edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--client-ca-file=<path/to/client-ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.1.31
|
||||
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--etcd-cafile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
|
||||
and etcd. Then, edit the $apiserverconf file on the master node and set the
|
||||
KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.2
|
||||
text: "Scheduler"
|
||||
checks:
|
||||
- id: 1.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS
|
||||
parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.3
|
||||
text: "Controller Manager"
|
||||
checks:
|
||||
- id: 1.3.1
|
||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--terminated-pod-gc-threshold"
|
||||
set: true
|
||||
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=<appropriate-number>\""
|
||||
scored: true
|
||||
|
||||
- id: 1.3.2
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\""
|
||||
scored: true
|
||||
|
||||
- id: 1.3.3
|
||||
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
|
||||
set: false
|
||||
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and remove the
|
||||
--insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 1.3.4
|
||||
text: "Ensure that the --use-service-account-credentials argument is set"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--use-service-account-credentials"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
|
||||
scored: true
|
||||
|
||||
- id: 1.3.5
|
||||
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-private-key-file"
|
||||
set: true
|
||||
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
|
||||
scored: true
|
||||
|
||||
- id: 1.3.6
|
||||
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--root-ca-file"
|
||||
set: true
|
||||
remediation: "Edit the $controllermanagerconf file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
|
||||
scored: true
|
||||
|
||||
- id: 1.4
|
||||
text: "Configure Files"
|
||||
checks:
|
||||
- id: 1.4.1
|
||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||||
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $apiserverconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.2
|
||||
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $apiserverconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.3
|
||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $config"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.4
|
||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $config"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.5
|
||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $schedulerconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.6
|
||||
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $schedulerconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.7
|
||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $etcdconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.8
|
||||
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $etcdconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.9
|
||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chmod 644 $flanneldconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.10
|
||||
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||
\nFor example, chown root:root $flanneldconf"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.11
|
||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "700"
|
||||
compare:
|
||||
op: eq
|
||||
value: "700"
|
||||
set: true
|
||||
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
|
||||
from the below command:\n
|
||||
ps -ef | grep $etcdbin\n
|
||||
Run the below command (based on the etcd data directory found above). For example,\n
|
||||
chmod 700 /var/lib/etcd/default.etcd"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.12
|
||||
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
||||
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "etcd:etcd"
|
||||
set: true
|
||||
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
|
||||
from the below command:\n
|
||||
ps -ef | grep etcd\n
|
||||
Run the below command (based on the etcd data directory found above). For example,\n
|
||||
chown etcd:etcd /var/lib/etcd/default.etcd"
|
||||
scored: true
|
||||
|
||||
- id: 1.5
|
||||
text: "etcd"
|
||||
checks:
|
||||
- id: 1.5.1
|
||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cert-file"
|
||||
set: true
|
||||
- flag: "--key-file"
|
||||
set: true
|
||||
remediation: "Follow the etcd service documentation and configure TLS encryption."
|
||||
scored: true
|
||||
|
||||
- id: 1.5.2
|
||||
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-cert-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the
|
||||
etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\".
|
||||
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
||||
and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\""
|
||||
scored: true
|
||||
|
||||
- id: 1.5.3
|
||||
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--auto-tls"
|
||||
set: false
|
||||
- flag: "--auto-tls"
|
||||
compare:
|
||||
op: neq
|
||||
value: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server
|
||||
node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter
|
||||
for --auto-tls."
|
||||
scored: true
|
||||
|
||||
- id: 1.5.4
|
||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--peer-cert-file"
|
||||
set: true
|
||||
- flag: "--peer-key-file"
|
||||
set: true
|
||||
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
|
||||
one etcd server in your environment then this recommendation is not applicable.
|
||||
Follow the etcd service documentation and configure peer TLS encryption as appropriate for
|
||||
your etcd cluster."
|
||||
scored: true
|
||||
|
||||
- id: 1.5.5
|
||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--peer-client-cert-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
|
||||
one etcd server in your environment then this recommendation is not applicable.
|
||||
Edit the etcd environment file (for example, $etcdconf) on the etcd server node
|
||||
and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file
|
||||
(for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the
|
||||
startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\""
|
||||
scored: true
|
||||
|
||||
- id: 1.5.6
|
||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--peer-auto-tls"
|
||||
set: false
|
||||
- flag: "--peer-auto-tls"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Note: This recommendation is applicable only for etcd clusters.
|
||||
If you are using only one etcd server in your environment then this recommendation is
|
||||
not applicable. Edit the etcd environment file (for example, $etcdconf)
|
||||
on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter.
|
||||
Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
|
||||
and remove the startup parameter for --peer-auto-tls."
|
||||
scored: true
|
||||
|
||||
- id: 1.5.7
|
||||
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--wal-dir"
|
||||
set: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
|
||||
and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for
|
||||
--wal-dir and set it to \"${ETCD_WAL_DIR}\""
|
||||
scored: true
|
||||
|
||||
- id: 1.5.8
|
||||
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--max-wals"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
|
||||
and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example,
|
||||
/etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter
|
||||
for --max-wals and set it to \"${ETCD_MAX_WALS}\"."
|
||||
scored: true
|
||||
|
||||
- id: 1.5.9
|
||||
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--trusted-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||
etcd service."
|
||||
scored: false
|
||||
|
||||
- id: 1.6
|
||||
text: "General Security Primitives"
|
||||
checks:
|
||||
- id: 1.6.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
|
||||
scored: false
|
||||
|
||||
- id: 1.6.2
|
||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
|
||||
suggested Pod Security Policies for your environment.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.3
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create namespaces for objects in your deployment as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.4
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.5
|
||||
text: "Avoid using Kubernetes Secrets (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Use other mechanisms such as vaults to manage your cluster secrets.
|
||||
scored: false
|
||||
|
||||
|
||||
- id: 1.6.6
|
||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing "--feature-
|
||||
gates=AllAlpha=true" argument.
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to "--feature-gates=AllAlpha=true"
|
||||
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
|
||||
scored: false
|
||||
|
||||
- id: 1.6.7
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers.
|
||||
scored: false
|
||||
|
||||
- id: 1.6.8
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Follow the Kubernetes documentation and setup image provenance.
|
||||
scored: false
|
@ -1,304 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.6
|
||||
id: 2
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
groups:
|
||||
- id: 2.1
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--allow-privileged"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV
|
||||
parameter to \"--allow-privileged=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on the master node and set the
|
||||
KUBELET_ARGS parameter to \"--anonymous-auth=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.3
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the
|
||||
KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.4
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
||||
the apiserver and kubelets. Then, edit the $kubeletconf file on each node
|
||||
and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.5
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--read-only-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--read-only-port=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.6
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--streaming-connection-idle-timeout"
|
||||
compare:
|
||||
op: noteq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.7
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--protect-kernel-defaults"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--protect-kernel-defaults=true\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.8
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--make-iptables-util-chains"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
- flag: "--make-iptables-util-chains"
|
||||
set: false
|
||||
remediation: "Edit the $kubeletconf file on each node and remove the
|
||||
--make-iptables-util-chains argument from the KUBELET_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 2.1.9
|
||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--keep-terminated-pod-volumes"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--keep-terminated-pod-volumes=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.10
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--hostname-override"
|
||||
set: false
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
|
||||
parameter to \"\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.11
|
||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--event-qps"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--event-qps=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.12
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
|
||||
Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
|
||||
parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
|
||||
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.13
|
||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cadvisor-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
|
||||
to \"--cadvisor-port=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.2
|
||||
text: "Configuration Files"
|
||||
checks:
|
||||
- id: 2.2.1
|
||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $config"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.2
|
||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $config"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.3
|
||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: 644
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubeletconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.4
|
||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubeletconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.5
|
||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $proxyconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.6
|
||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $proxyconf"
|
||||
scored: true
|
@ -1,285 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.7
|
||||
id: 3
|
||||
text: "Federated Deployments"
|
||||
type: "federated"
|
||||
groups:
|
||||
- id: 3.1
|
||||
text: "Federation API Server"
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --anonymous-auth=false.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the deployment specs and remove \"--basic-auth-file=<filename>\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and remove --insecure-bind-address.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.5
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --insecure-port=0.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.6
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--secure-port"
|
||||
compare:
|
||||
op: gt
|
||||
value: 0
|
||||
set: true
|
||||
- flag: "--secure-port"
|
||||
set: false
|
||||
remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.7
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--profiling=false\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
score: true
|
||||
|
||||
- id: 3.1.8
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAdmit
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --admission-control argument to a value that does
|
||||
not include AlwaysAdmit.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.9
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.10
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.11
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
compare:
|
||||
op: gte
|
||||
value: 30
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.12
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
compare:
|
||||
op: gte
|
||||
value: 10
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.13
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
compare:
|
||||
op: gte
|
||||
value: 100
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.14
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.15
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
set: false
|
||||
remediation: "Follow the documentation and configure alternate mechanisms for authentication.
|
||||
Then, edit the deployment specs and remove the --token-auth-file=<filename> argument.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.16
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.17
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.18
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--etcd-certfile"
|
||||
set: true
|
||||
- flag: "--etcd-keyfile"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection between the
|
||||
federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd-
|
||||
certfile=<path/to/client-certificate-file>\" and \"--etcd-
|
||||
keyfile=<path/to/client-key-file>\" arguments.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.19
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation
|
||||
apiserver. Then, edit the deployment specs and set \"--tls-cert-file=<path/to/tls-
|
||||
certificate-file>\" and \"--tls-private-key-file=<path/to/tls-key-file>\" :
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.2
|
||||
text: "Federation Controller Manager"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set \"--profiling=false\".\n
|
||||
kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system"
|
||||
scored: true
|
1047
cfg/1.7/master.yaml
1047
cfg/1.7/master.yaml
File diff suppressed because it is too large
Load Diff
@ -1,370 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.7
|
||||
id: 2
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
groups:
|
||||
- id: 2.1
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--allow-privileged"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBE_ALLOW_PRIV
|
||||
parameter to \"--allow-privileged=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on the master node and set the
|
||||
KUBELET_ARGS parameter to \"--anonymous-auth=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.3
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the
|
||||
KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.4
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and setup the TLS connection between
|
||||
the apiserver and kubelets. Then, edit the $kubeletconf file on each node
|
||||
and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.5
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--read-only-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--read-only-port=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.6
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--streaming-connection-idle-timeout"
|
||||
compare:
|
||||
op: noteq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.7
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--protect-kernel-defaults"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--protect-kernel-defaults=true\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.8
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--make-iptables-util-chains"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
- flag: "--make-iptables-util-chains"
|
||||
set: false
|
||||
remediation: "Edit the $kubeletconf file on each node and remove the
|
||||
--make-iptables-util-chains argument from the KUBELET_ARGS parameter."
|
||||
scored: true
|
||||
|
||||
- id: 2.1.9
|
||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--keep-terminated-pod-volumes"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--keep-terminated-pod-volumes=false\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.10
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--hostname-override"
|
||||
set: false
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
|
||||
parameter to \"\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.11
|
||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--event-qps"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
|
||||
parameter to \"--event-qps=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.12
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
|
||||
Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
|
||||
parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
|
||||
\"--tls-private-key-file=<path/to/tls-key-file>\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.13
|
||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cadvisor-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
|
||||
to \"--cadvisor-port=0\""
|
||||
scored: true
|
||||
|
||||
- id: 2.1.14
|
||||
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "RotateKubeletClientCertificate"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
|
||||
to a value to include \"--feature-gates=RotateKubeletClientCertificate=true\"."
|
||||
scored: true
|
||||
|
||||
- id: 2.1.15
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "RotateKubeletServerCertificate"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
|
||||
to a value to include \"--feature-gates=RotateKubeletServerCertificate=true\"."
|
||||
scored: true
|
||||
|
||||
- id: 2.2
|
||||
text: "Configuration Files"
|
||||
checks:
|
||||
- id: 2.2.1
|
||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubernetesconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.2
|
||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubernetesconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.3
|
||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: 644
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $kubeletconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.4
|
||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $kubeletconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.5
|
||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chmod 644 $proxyconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.6
|
||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||
\nFor example, chown root:root $proxyconf"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: "Run the following command to modify the file permissions of the --client-ca-file
|
||||
\nchmod 644 <filename>"
|
||||
scored: true
|
||||
|
||||
- id: 2.2.8
|
||||
text: "Ensure that the client certificate authorities file ownership is set to root:root"
|
||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "notexist:notexist"
|
||||
set: true
|
||||
remediation: "Run the following command to modify the ownership of the --client-ca-file.
|
||||
\nchown root:root <filename>"
|
||||
scored: true
|
@ -1,2 +0,0 @@
|
||||
---
|
||||
## Version-specific settings that override the values in cfg/config.yaml
|
@ -1,309 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.8
|
||||
id: 3
|
||||
text: "Federated Deployments"
|
||||
type: "federated"
|
||||
groups:
|
||||
- id: 3.1
|
||||
text: "Federation API Server"
|
||||
checks:
|
||||
- id: 3.1.1
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --anonymous-auth=false.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.2
|
||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--basic-auth-file"
|
||||
set: false
|
||||
remediation: |
|
||||
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
||||
edit the deployment specs and remove "--basic-auth-file=<filename>".
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.3
|
||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-allow-any-token"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the deployment specs and remove --insecure-allow-any-token.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.4
|
||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-bind-address"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the deployment specs and remove --insecure-bind-address.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.5
|
||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--insecure-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --insecure-port=0.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.6
|
||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--secure-port"
|
||||
compare:
|
||||
op: gt
|
||||
value: 0
|
||||
set: true
|
||||
- flag: "--secure-port"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the deployment specs and set the --secure-port argument to the desired port.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.7
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set "--profiling=false":
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
score: true
|
||||
|
||||
- id: 3.1.8
|
||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--admission-control"
|
||||
compare:
|
||||
op: nothave
|
||||
value: AlwaysAdmit
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --admission-control argument to a value that does not
|
||||
include AlwaysAdmit .
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.9
|
||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "admission-control"
|
||||
compare:
|
||||
op: has
|
||||
value: "NamespaceLifecycle"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --admission-control argument to a value that includes
|
||||
NamespaceLifecycle.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.10
|
||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-path"
|
||||
set: true
|
||||
remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
|
||||
scored: true
|
||||
|
||||
- id: 3.1.11
|
||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxage"
|
||||
compare:
|
||||
op: gte
|
||||
value: 30
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.12
|
||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxbackup"
|
||||
compare:
|
||||
op: gte
|
||||
value: 10
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.13
|
||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--audit-log-maxsize"
|
||||
compare:
|
||||
op: gte
|
||||
value: 100
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.14
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --authorization-mode argument to a value other than
|
||||
AlwaysAllow
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.15
|
||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--token-auth-file"
|
||||
set: false
|
||||
remediation: |
|
||||
Follow the documentation and configure alternate mechanisms for authentication. Then,
|
||||
edit the deployment specs and remove the --token-auth-file=<filename> argument.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.16
|
||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-lookup"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set "--service-account-lookup=true" .
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.17
|
||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--service-account-key-file"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set --service-account-key-file argument as appropriate.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.18
|
||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
|
||||
appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--etcd-certfile"
|
||||
set: true
|
||||
- flag: "--etcd-keyfile"
|
||||
set: true
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and set up the TLS connection between the
|
||||
federation apiserver and etcd. Then, edit the deployment specs and set
|
||||
"--etcd-certfile=<path/to/client-certificate-file>" and
|
||||
"--etcd-keyfile=<path/to/client-key-file>" arguments.
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.1.19
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as
|
||||
appropriate (Scored)"
|
||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||
tests:
|
||||
bin_op: and
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and set up the TLS connection on the federation
|
||||
apiserver. Then, edit the deployment specs and set
|
||||
"--tls-cert-file=<path/to/tls-certificate-file>" and
|
||||
"--tls-private-key-file=<path/to/tls-key-file>":
|
||||
kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
|
||||
scored: true
|
||||
|
||||
- id: 3.2
|
||||
text: "Federation Controller Manager"
|
||||
checks:
|
||||
- id: 3.2.1
|
||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--profiling"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the deployment specs and set "--profiling=false":
|
||||
kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system
|
||||
scored: true
|
1373
cfg/1.8/master.yaml
1373
cfg/1.8/master.yaml
File diff suppressed because it is too large
Load Diff
@ -1,446 +0,0 @@
|
||||
---
|
||||
controls:
|
||||
version: 1.8
|
||||
id: 2
|
||||
text: "Worker Node Security Configuration"
|
||||
type: "node"
|
||||
groups:
|
||||
- id: 2.1
|
||||
text: "Kubelet"
|
||||
checks:
|
||||
- id: 2.1.1
|
||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--allow-privileged"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--allow-privileged=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.2
|
||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--anonymous-auth"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--anonymous-auth=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.3
|
||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--authorization-mode"
|
||||
compare:
|
||||
op: nothave
|
||||
value: "AlwaysAllow"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
||||
--authorization-mode=Webhook
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.4
|
||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--client-ca-file"
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
||||
--client-ca-file=<path/to/client-ca-file>
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.5
|
||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--read-only-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--read-only-port=0
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.6
|
||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--streaming-connection-idle-timeout"
|
||||
compare:
|
||||
op: noteq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--streaming-connection-idle-timeout=5m
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.7
|
||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--protect-kernel-defaults"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--protect-kernel-defaults=true
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.8
|
||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "--make-iptables-util-chains"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and remove the --make-iptables-util-chains argument from the
|
||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.9
|
||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--keep-terminated-pod-volumes"
|
||||
compare:
|
||||
op: eq
|
||||
value: false
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--keep-terminated-pod-volumes=false
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.10
|
||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--hostname-override"
|
||||
set: false
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and remove the --hostname-override argument from the
|
||||
KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.11
|
||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--event-qps"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
||||
--event-qps=0
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.12
|
||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--tls-cert-file"
|
||||
set: true
|
||||
- flag: "--tls-private-key-file"
|
||||
set: true
|
||||
remediation: |
|
||||
Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
|
||||
Then edit the kubelet service file $kubeletsvc on each worker node and set the below parameters in
|
||||
KUBELET_CERTIFICATE_ARGS variable.
|
||||
--tls-cert-file=<path/to/tls-certificate-file>
|
||||
file=<path/to/tls-key-file>
|
||||
--tls-private-key-
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.13
|
||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "--cadvisor-port"
|
||||
compare:
|
||||
op: eq
|
||||
value: 0
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
|
||||
--cadvisor-port=0
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.14
|
||||
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "RotateKubeletClientCertificate"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and remove the --feature-
|
||||
gates=RotateKubeletClientCertificate=false argument from the
|
||||
KUBELET_CERTIFICATE_ARGS variable.
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.1.15
|
||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
||||
audit: "ps -fC $kubeletbin"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "RotateKubeletServerCertificate"
|
||||
compare:
|
||||
op: eq
|
||||
value: true
|
||||
set: true
|
||||
remediation: |
|
||||
Edit the kubelet service file $kubeletsvc
|
||||
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
||||
--feature-gates=RotateKubeletServerCertificate=true
|
||||
Based on your system, restart the kubelet service. For example:
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet.service
|
||||
scored: true
|
||||
|
||||
- id: 2.2
|
||||
text: "Configuration Files"
|
||||
checks:
|
||||
- id: 2.2.1
|
||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
||||
more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %a $kubeletkubeconfig; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chmod 644 $kubeletkubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.2
|
||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chown root:root $kubeletkubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.3
|
||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
||||
more restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %a $kubeletsvc; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: 644
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chmod 755 $kubeletsvc
|
||||
scored: true
|
||||
|
||||
- id: 2.2.4
|
||||
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chown root:root $kubeletsvc
|
||||
scored: true
|
||||
|
||||
- id: 2.2.5
|
||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
|
||||
restrictive (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %a $proxykubeconfig; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chmod 644 $proxykubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.6
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker
|
||||
node. For example,
|
||||
chown root:root $proxykubeconfig
|
||||
scored: true
|
||||
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
scored: true
|
||||
|
||||
- id: 2.2.8
|
||||
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: root:root
|
||||
set: true
|
||||
remediation: |
|
||||
Run the following command to modify the ownership of the --client-ca-file .
|
||||
chown root:root <filename>
|
||||
scored: true
|
@ -54,7 +54,7 @@ const (
|
||||
)
|
||||
|
||||
// Check contains information about a recommendation in the
|
||||
// CIS Kubernetes 1.6+ document.
|
||||
// CIS Kubernetes document.
|
||||
type Check struct {
|
||||
ID string `yaml:"id" json:"test_number"`
|
||||
Text string `json:"test_desc"`
|
||||
|
@ -34,7 +34,7 @@ type FilterOpts struct {
|
||||
|
||||
var (
|
||||
envVarsPrefix = "KUBE_BENCH"
|
||||
defaultKubeVersion = "1.6"
|
||||
defaultKubeVersion = "1.11"
|
||||
kubeVersion string
|
||||
cfgFile string
|
||||
cfgDir string
|
||||
|
@ -209,8 +209,8 @@ func TestKubeVersionRegex(t *testing.T) {
|
||||
}
|
||||
|
||||
ver = getVersionFromKubectlOutput("Something completely different")
|
||||
if ver != "1.6" {
|
||||
t.Fatalf("Expected 1.6 got %s", ver)
|
||||
if ver != defaultKubeVersion {
|
||||
t.Fatalf("Expected %s got %s", defaultKubeVersion, ver)
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user