diff --git a/.travis.yml b/.travis.yml index 32d6478..9528ceb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,3 +19,7 @@ script: after_success: - test -n "$TRAVIS_TAG" && curl -sL https://git.io/goreleaser | bash + +env: + global: + secure: mb8AYZKDo6hkKN+2F9ldXcw27Yn2AfxpXvKlD8GD7NdGOI+TaiSFbE0I+qqTa/1DqcRekCQwqN7OG/17s9JDkgzUXYuYUGlVUOM4WbeJoSlzJFIOh9r9R/JddluYJohypgkE20IBHIrEHq5sY0Nn1Pl9WgSQFaVcQjxkX009AOuVjN0o5HcoXsb5hAzvHrpoSPkcSSqq7VWab60TgUttVaRlZSGwGdSYQEqk5TdO0hWHuXyxaaEPybgFIyZLLbxPS4JmMz8n3Sngetpw9Jgc+V9Fc7wKXpjvZZ33SpArG5p5ZFFu2YQOXFLZth9qtQOjduQ2gU1kHN6WjWnJ8QX2s8vmU38Tk19kd5i+mz9dvc87IdBvmTIqVYSpM6AAYa2osBGP3f97Rj2S68lTad4ecSVyHdsjz56vdE3ZH4wskswmogbKkVdvO4biPHxT6odszBxYLEJuRJyZ7ckXd52MCzqAUPrw7YUuH8N1mLIlf7V5bW5R+q4DlKw774zxnHiWrymXGvlINSrB0qxBn8Fii6ib+Pacl3PuqSumCcgIHlVjqrzIXaqcTMn2/ABZYC99mralGvwA/EgNa8CBKB5evMCEwWa5Ntvcs2I2DFcO5Q2WzN4H0YScyAzzCzK7/3hWJE/rUIJntwiSXkV3MSa1yxWSGGH8F1lcz+lzgTBm/MU= diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml index 209f31d..1db170f 100644 --- a/cfg/1.6/master.yaml +++ b/cfg/1.6/master.yaml @@ -731,7 +731,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -748,7 +748,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/1.7/master.yaml b/cfg/1.7/master.yaml index a306eef..fa35e39 100644 --- a/cfg/1.7/master.yaml +++ b/cfg/1.7/master.yaml @@ -793,7 +793,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -810,7 +810,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" diff --git a/cfg/1.8/config.yaml b/cfg/1.8/config.yaml new file mode 100644 index 0000000..2dcad14 --- /dev/null +++ b/cfg/1.8/config.yaml @@ -0,0 +1,38 @@ +--- +## Controls Files. +# These are YAML files that hold all the details for running checks. +# +## Uncomment to use different control file paths. +# masterControls: ./cfg/master.yaml +# nodeControls: ./cfg/node.yaml +# federatedControls: ./cfg/federated.yaml + +master: + apiserver: + defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml + + scheduler: + confs: + - /etc/kubernetes/manifests/kube-scheduler.yaml + defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml + + controllermanager: + confs: + - /etc/kubernetes/manifests/kube-controller-manager.yaml + defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml + + etcd: + confs: + - /etc/kubernetes/manifests/etcd.yaml + defaultconf: /etc/kubernetes/manifests/etcd.yaml + +node: + kubelet: + confs: + - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf + defaultconf: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf + + proxy: + confs: + - /etc/kubernetes/addons/kube-proxy-daemonset.yaml + defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml index 0a3c465..ae933fd 100644 --- a/cfg/1.8/master.yaml +++ b/cfg/1.8/master.yaml @@ -19,7 +19,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --anonymous-auth=false @@ -34,7 +34,7 @@ groups: set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, - edit the API server pod specification file $apiserverpodspec + edit the API server pod specification file $apiserverconf on the master node and remove the --basic-auth-file= parameter. scored: true @@ -47,7 +47,7 @@ groups: - flag: "--insecure-allow-any-token" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --insecure-allow-any-token parameter. scored: true @@ -66,7 +66,7 @@ groups: - flag: "--kubelet-https" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --kubelet-https parameter. scored: true @@ -78,7 +78,7 @@ groups: - flag: "--insecure-bind-address" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and remove the --insecure-bind-address parameter. scored: true @@ -94,7 +94,7 @@ groups: value: 0 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf apiserver.yaml on the master node and set the below parameter. --insecure-port=0 scored: true @@ -113,7 +113,7 @@ groups: - flag: "--secure-port" set: false remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port. scored: true @@ -129,7 +129,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --profiling=false scored: true @@ -145,7 +145,7 @@ groups: value: false set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --repair-malformed-updates=false scored: true @@ -161,7 +161,7 @@ groups: value: AlwaysAdmit set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that does not include AlwaysAdmit. scored: true @@ -177,7 +177,7 @@ groups: value: "AlwaysPullImages" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include AlwaysPullImages. --admission-control=...,AlwaysPullImages,... @@ -194,7 +194,7 @@ groups: value: "DenyEscalatingExec" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes DenyEscalatingExec. --admission-control=...,DenyEscalatingExec,... @@ -211,7 +211,7 @@ groups: value: "SecurityContextDeny" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include SecurityContextDeny. --admission-control=...,SecurityContextDeny,... @@ -228,7 +228,7 @@ groups: value: "NamespaceLifecycle" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to include NamespaceLifecycle. --admission-control=...,NamespaceLifecycle,... @@ -242,7 +242,7 @@ groups: - flag: "--audit-log-path" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log @@ -259,7 +259,7 @@ groups: value: 30 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days: --audit-log-maxage=30 @@ -276,7 +276,7 @@ groups: value: 10 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate value. --audit-log-maxbackup=10 @@ -293,7 +293,7 @@ groups: value: 100 set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB. For example, to set it as 100 MB: --audit-log-maxsize=100 @@ -310,7 +310,7 @@ groups: value: "AlwaysAllow" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC @@ -325,7 +325,7 @@ groups: set: false remediation: | Follow the documentation and configure alternate mechanisms for authentication. Then, - edit the API server pod specification file $apiserverpodspec + edit the API server pod specification file $apiserverconf on the master node and remove the --token-auth-file= parameter. scored: true @@ -340,7 +340,7 @@ groups: remediation: | Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the -- + $apiserverconf on the master node and set the -- kubelet-certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority= @@ -360,7 +360,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file - $apiserverpodspec on the master node and set the + $apiserverconf on the master node and set the kubelet client certificate and key parameters as below. --kubelet-client-certificate= --kubelet-client-key= @@ -377,7 +377,7 @@ groups: value: true set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the below parameter. --service-account-lookup=true scored: true @@ -394,7 +394,7 @@ groups: set: true remediation: | Follow the documentation and create Pod Security Policy objects as per your environment. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes PodSecurityPolicy : --admission-control=...,PodSecurityPolicy,... @@ -410,7 +410,7 @@ groups: - flag: "--service-account-key-file" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --service-account-key-file parameter to the public key file for service accounts: --service-account-key-file= @@ -430,7 +430,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the etcd + $apiserverconf on the master node and set the etcd certificate and key file parameters. --etcd-certfile= --etcd-keyfile= @@ -448,7 +448,7 @@ groups: set: true remediation: | Follow the documentation and create ServiceAccount objects as per your environment. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes ServiceAccount. --admission-control=...,ServiceAccount,... @@ -467,7 +467,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the TLS certificate and private key file parameters. --tls-cert-file= @@ -483,7 +483,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set up the TLS connection on the apiserver. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the client certificate authority file. --client-ca-file= scored: true @@ -498,7 +498,7 @@ groups: remediation: | Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file - $apiserverpodspec on the master node and set the etcd + $apiserverconf on the master node and set the etcd certificate authority file parameter. --etcd-cafile= scored: true @@ -514,7 +514,7 @@ groups: value: "Node" set: true remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf on the master node and set the --authorization-mode parameter to a value that includes Node. --authorization-mode=Node,RBAC @@ -532,7 +532,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf on the master node and set the --admission-control parameter to a value that includes NodeRestriction. --admission-control=...,NodeRestriction,... @@ -548,7 +548,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit - the API server pod specification file $apiserverpodspec + the API server pod specification file $apiserverconf on the master node and set the --experimental-encryption-provider-config parameter to the path of that file: --experimental-encryption-provider-config= @@ -586,7 +586,7 @@ groups: set: true remediation: | Follow the Kubernetes documentation and set the desired limits in a configuration file. - Then, edit the API server pod specification file $apiserverpodspec + Then, edit the API server pod specification file $apiserverconf and set the below parameters. --admission-control=EventRateLimit --admission-control-config-file= @@ -598,7 +598,7 @@ groups: type: "manual" remediation: | Follow the Kubernetes documentation and set the desired audit policy in the - /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec + /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf and set the below parameters. --audit-policy-file=/etc/kubernetes/audit-policy.yaml scored: true @@ -608,7 +608,7 @@ groups: audit: "ps -ef | grep $apiserverbin | grep -v grep" type: "manual" remediation: | - Edit the API server pod specification file $apiserverpodspec + Edit the API server pod specification file $apiserverconf and set the below parameter as appropriate and if needed. For example, --request-timeout=300 scored: true @@ -628,7 +628,7 @@ groups: set: true remediation: | Remediation: - Edit the Scheduler pod specification file $apiserverpodspec + Edit the Scheduler pod specification file $apiserverconf file on the master node and set the below parameter. --profiling=false scored: true @@ -644,7 +644,7 @@ groups: - flag: "--terminated-pod-gc-threshold" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: --terminated-pod-gc-threshold=10 scored: true @@ -660,7 +660,7 @@ groups: value: false set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the below parameter. --profiling=false scored: true @@ -676,7 +676,7 @@ groups: value: true set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node to set the below parameter. --use-service-account-credentials=true scored: true @@ -689,7 +689,7 @@ groups: - flag: "--service-account-private-key-file" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --service-account-private- key-file parameter to the private key file for service accounts. --service-account-private-key-file= @@ -703,7 +703,7 @@ groups: - flag: "--root-ca-file" set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf on the master node and set the --root-ca-file parameter to the certificate bundle file. --root-ca-file= @@ -729,7 +729,7 @@ groups: value: true set: true remediation: | - Edit the Controller Manager pod specification file $apiserverpodspec + Edit the Controller Manager pod specification file $apiserverconf controller-manager.yaml on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. --feature-gates=RotateKubeletServerCertificate=true @@ -741,7 +741,7 @@ groups: - id: 1.4.1 text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %a $apiserverpodspec; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" tests: bin_op: or test_items: @@ -763,13 +763,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $apiserverpodspec + chmod 644 $apiserverconf scored: true - id: 1.4.2 text: "Ensure that the API server pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $apiserverpodspec; then stat -c %U:%G $apiserverpodspec; fi'" + audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'" tests: test_items: - flag: "root:root" @@ -780,13 +780,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $apiserverpodspec + chown root:root $apiserverconf scored: true - id: 1.4.3 text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %a $controllermanagerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'" tests: bin_op: or test_items: @@ -808,13 +808,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $controllermanagerpodspec + chmod 644 $controllermanagerconf scored: true - id: 1.4.4 text: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $controllermanagerpodspec; then stat -c %U:%G $controllermanagerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'" tests: test_items: - flag: "root:root" @@ -825,13 +825,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $controllermanagerpodspec + chown root:root $controllermanagerconf scored: true - id: 1.4.5 text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %a $schedulerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" tests: bin_op: or test_items: @@ -853,13 +853,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $schedulerpodspec + chmod 644 $schedulerconf scored: true - id: 1.4.6 text: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $schedulerpodspec; then stat -c %U:%G $schedulerpodspec; fi'" + audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'" tests: test_items: - flag: "root:root" @@ -870,13 +870,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $schedulerpodspec + chown root:root $schedulerconf scored: true - id: 1.4.7 text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %a $etcdpodspec; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" tests: bin_op: or test_items: @@ -898,13 +898,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chmod 644 $etcdpodspec + chmod 644 $etcdconf scored: true - id: 1.4.8 text: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)" - audit: "/bin/sh -c 'if test -e $etcdpodspec; then stat -c %U:%G $etcdpodspec; fi'" + audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'" tests: test_items: - flag: "root:root" @@ -915,7 +915,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the master node. For example, - chown root:root $etcdpodspec + chown root:root $etcdconf scored: true - id: 1.4.9 @@ -942,7 +942,7 @@ groups: - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a tests: test_items: - flag: "700" @@ -960,7 +960,7 @@ groups: - id: 1.4.12 text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" - audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G" + audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G tests: test_items: - flag: "etcd:etcd" @@ -1086,7 +1086,7 @@ groups: set: true remediation: | Follow the etcd service documentation and configure TLS encryption. - Then, edit the etcd pod specification file $etcdpodspec on the + Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --ca-file= --key-file= @@ -1103,7 +1103,7 @@ groups: value: true set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --client-cert-auth="true" scored: true @@ -1121,7 +1121,7 @@ groups: op: neq value: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true @@ -1138,7 +1138,7 @@ groups: set: true remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate - for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the + for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. --peer-client-file= --peer-key-file= @@ -1155,7 +1155,7 @@ groups: value: true set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --peer-client-cert-auth=true scored: true @@ -1174,7 +1174,7 @@ groups: value: false set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true @@ -1187,7 +1187,7 @@ groups: - flag: "--wal-dir" set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --wal-dir= scored: true @@ -1203,7 +1203,7 @@ groups: value: 0 set: true remediation: | - Edit the etcd pod specification file $etcdpodspec on the master + Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --max-wals=0 scored: true @@ -1218,7 +1218,7 @@ groups: remediation: | Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. - Then, edit the etcd pod specification file $etcdpodspec on the + Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. --trusted-ca-file= scored: false diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml index c8c51f2..e4cd249 100644 --- a/cfg/1.8/node.yaml +++ b/cfg/1.8/node.yaml @@ -19,7 +19,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --allow-privileged=false Based on your system, restart the kubelet service. For example: @@ -38,7 +38,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --anonymous-auth=false Based on your system, restart the kubelet service. For example: @@ -57,7 +57,7 @@ groups: value: "AlwaysAllow" set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --authorization-mode=Webhook Based on your system, restart the kubelet service. For example: @@ -73,7 +73,7 @@ groups: - flag: "--client-ca-file" set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. --client-ca-file= Based on your system, restart the kubelet service. For example: @@ -92,7 +92,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --read-only-port=0 Based on your system, restart the kubelet service. For example: @@ -111,7 +111,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: @@ -130,7 +130,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: @@ -150,7 +150,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --make-iptables-util-chains argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: @@ -169,7 +169,7 @@ groups: value: false set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --keep-terminated-pod-volumes=false Based on your system, restart the kubelet service. For example: @@ -185,7 +185,7 @@ groups: - flag: "--hostname-override" set: false remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --hostname-override argument from the KUBELET_SYSTEM_PODS_ARGS variable. Based on your system, restart the kubelet service. For example: @@ -204,7 +204,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --event-qps=0 Based on your system, restart the kubelet service. For example: @@ -245,7 +245,7 @@ groups: value: 0 set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. --cadvisor-port=0 Based on your system, restart the kubelet service. For example: @@ -264,7 +264,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and remove the --feature- gates=RotateKubeletClientCertificate=false argument from the KUBELET_CERTIFICATE_ARGS variable. @@ -284,7 +284,7 @@ groups: value: true set: true remediation: | - Edit the kubelet service file $kubeletunitfile + Edit the kubelet service file $kubeletconf on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable. --feature-gates=RotateKubeletServerCertificate=true Based on your system, restart the kubelet service. For example: @@ -342,7 +342,7 @@ groups: - id: 2.2.3 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %a $kubeletunitfile; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" tests: bin_op: or test_items: @@ -364,13 +364,13 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chmod 755 $kubeletunitfile + chmod 755 $kubeletconf scored: true - id: 2.2.4 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" - audit: "/bin/sh -c 'if test -e $kubeletunitfile; then stat -c %U:%G $kubeletunitfile; fi'" + audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'" tests: test_items: - flag: "root:root" @@ -378,7 +378,7 @@ groups: remediation: | Run the below command (based on the file location on your system) on the each worker node. For example, - chown root:root $kubeletunitfile + chown root:root $kubeletconf scored: true - id: 2.2.5 diff --git a/cfg/config.yaml b/cfg/config.yaml index 8512c75..f25ebc0 100644 --- a/cfg/config.yaml +++ b/cfg/config.yaml @@ -30,10 +30,6 @@ master: - /etc/kubernetes/apiserver defaultconf: /etc/kubernetes/apiserver - podspecs: - - /etc/kubernetes/manifests/kube-apiserver.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-apiserver.yaml - scheduler: bins: - "kube-scheduler" @@ -44,10 +40,6 @@ master: - /etc/kubernetes/scheduler defaultconf: /etc/kubernetes/scheduler - podspecs: - - /etc/kubernetes/manifests/kube-scheduler.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-scheduler.yaml - controllermanager: bins: - "kube-controller-manager" @@ -58,10 +50,6 @@ master: - /etc/kubernetes/controller-manager defaultconf: /etc/kubernetes/controller-manager - podspecs: - - /etc/kubernetes/manifests/kube-controller-manager.yaml - defaultpodspec: /etc/kubernetes/manifests/kube-controller-manager.yaml - etcd: optional: true bins: @@ -70,17 +58,12 @@ master: - /etc/etcd/etcd.conf defaultconf: /etc/etcd/etcd.conf - podspecs: - - /etc/kubernetes/manifests/etcd.yaml - defaultpodspec: /etc/kubernetes/manifests/etcd.yaml - flanneld: optional: true bins: - flanneld defaultconf: /etc/sysconfig/flanneld - node: components: - kubelet @@ -100,10 +83,6 @@ node: - /etc/kubernetes/kubelet defaultconf: "/etc/kubernetes/kubelet.conf" - unitfiles: - - /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - defaultunitfile: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf - proxy: bins: - "kube-proxy" @@ -130,5 +109,3 @@ federated: - "hyperkube federation-controller-manager" - "kube-federation-controller-manager" - "federation-controller-manager" - - diff --git a/cmd/common.go b/cmd/common.go index c552f86..bc4dbe2 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -29,6 +29,7 @@ var ( func runChecks(t check.NodeType) { var summary check.Summary + var nodetype string var file string var err error var typeConf *viper.Viper @@ -36,49 +37,44 @@ func runChecks(t check.NodeType) { switch t { case check.MASTER: file = masterFile - typeConf = viper.Sub("master") - case check.NODE: - file = nodeFile - typeConf = viper.Sub("node") - case check.FEDERATED: - file = federatedFile - typeConf = viper.Sub("federated") - } - - // Get the set of exectuables and config files we care about on this type of node. This also - // checks that the executables we need for the node type are running. - binmap := getBinaries(typeConf) - confmap := getConfigFiles(typeConf, "conf") - podspecmap := getConfigFiles(typeConf, "podspec") - unitfilemap := getConfigFiles(typeConf, "unitfile") - - switch t { - case check.MASTER: - file = masterFile + nodetype = "master" case check.NODE: file = nodeFile + nodetype = "node" case check.FEDERATED: file = federatedFile + nodetype = "federated" } ver := getKubeVersion() - glog.V(1).Info(fmt.Sprintf("Running tests for Kubernetes version: %s", ver)) + path := fmt.Sprintf("%s/%s", cfgDir, ver) - path := fmt.Sprintf("%s/%s/%s", cfgDir, ver, file) - in, err := ioutil.ReadFile(path) + def := fmt.Sprintf("%s/%s", path, file) + in, err := ioutil.ReadFile(def) if err != nil { exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err)) } + // Merge kubernetes version specific config if any. + viper.SetConfigFile(path + "/config.yaml") + err = viper.MergeInConfig() + if err != nil { + continueWithError(err, fmt.Sprintf("Reading %s specific configuration file", ver)) + } + typeConf = viper.Sub(nodetype) + + // Get the set of exectuables and config files we care about on this type of node. This also + // checks that the executables we need for the node type are running. + binmap := getBinaries(typeConf) + confmap := getConfigFiles(typeConf) + // Variable substitutions. Replace all occurrences of variables in controls files. s := string(in) s = makeSubstitutions(s, "bin", binmap) s = makeSubstitutions(s, "conf", confmap) - s = makeSubstitutions(s, "podspec", podspecmap) - s = makeSubstitutions(s, "unitfile", unitfilemap) glog.V(1).Info(fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed())) - glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", path)) + glog.V(1).Info(fmt.Sprintf("Using benchmark file: %s\n", def)) controls, err := check.NewControls(t, []byte(s)) if err != nil { diff --git a/cmd/util.go b/cmd/util.go index f2c6b29..66ae5a7 100644 --- a/cmd/util.go +++ b/cmd/util.go @@ -119,7 +119,7 @@ func getBinaries(v *viper.Viper) map[string]string { // getConfigFiles finds which of the set of candidate config files exist // accepts a string 't' which indicates the type of config file, conf, // podspec or untifile. -func getConfigFiles(v *viper.Viper, t string) map[string]string { +func getConfigFiles(v *viper.Viper) map[string]string { confmap := make(map[string]string) for _, component := range v.GetStringSlice("components") { @@ -129,14 +129,14 @@ func getConfigFiles(v *viper.Viper, t string) map[string]string { } // See if any of the candidate config files exist - conf := findConfigFile(s.GetStringSlice(t + "s")) + conf := findConfigFile(s.GetStringSlice("confs")) if conf == "" { - if s.IsSet("default" + t) { - conf = s.GetString("default" + t) + if s.IsSet("defaultconf") { + conf = s.GetString("defaultconf") glog.V(2).Info(fmt.Sprintf("Using default config file name '%s' for component %s", conf, component)) } else { // Default the config file name that we'll substitute to the name of the component - printlnWarn(fmt.Sprintf("Missing config file for %s", component)) + glog.V(2).Info(fmt.Sprintf("Missing config file for %s", component)) conf = component } } else { diff --git a/cmd/util_test.go b/cmd/util_test.go index 1ef5be8..3650ea0 100644 --- a/cmd/util_test.go +++ b/cmd/util_test.go @@ -279,7 +279,7 @@ func TestGetConfigFiles(t *testing.T) { e = c.statResults eIndex = 0 - m := getConfigFiles(v, "conf") + m := getConfigFiles(v) if !reflect.DeepEqual(m, c.exp) { t.Fatalf("Got %v\nExpected %v", m, c.exp) } diff --git a/entrypoint.sh b/entrypoint.sh index 4ccd821..ad28fbf 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,8 @@ #!/bin/sh if [ -d /host ]; then mkdir -p /host/cfg/ - yes | cp -rf ./kube-bench/cfg/* /host/cfg/ - yes | cp -rf ./kube-bench/kube-bench /host/ + yes | cp -rf /cfg/* /host/cfg/ + yes | cp -rf /kube-bench /host/ echo "===============================================" echo "kube-bench is now installed on your host " echo "Run ./kube-bench to perform a security check "