update files

2024-12-20 05:38:13 +00:00 · 2019-04-16 06:01:51 +00:00 · 2019-04-16 06:01:51 +00:00 · e70f50b2b5
commit e70f50b2b5
parent d30786da4a
2 changed files with 1830 additions and 1876 deletions
--- a/cfg/ocp-3.10/master.yaml
+++ b/cfg/ocp-3.10/master.yaml
--- a/cfg/ocp-3.10/node.yaml
+++ b/cfg/ocp-3.10/node.yaml
@ -4,21 +4,21 @@ id: 2
 text: "Worker Node Security Configuration"
 type: "node"
 groups:
- id: 2.1
+- id: 7
  text: "Kubelet"
  checks:
-  - id: 2.1.1
-    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+  - id: 7.1
+    text: "Use Security Context Constraints to manage privileged containers as needed"
    type: "skip"
    scored: true

-  - id: 2.1.2
-    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+  - id: 7.2
+    text: "Ensure anonymous-auth is not disabled"
    type: "skip"
    scored: true

-  - id: 2.1.3
-    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+  - id: 7.3
+    text: "Verify that the --authorization-mode argument is set to WebHook)"
    audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
@ -35,8 +35,8 @@ groups:
      kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
    scored: true

-  - id: 2.1.4
-    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+  - id: 7.4
+    text: "Verify the OpenShift default for the client-ca-file argument"
    audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
    tests:
      test_items:
@ -51,8 +51,8 @@ groups:
      The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
    scored: true

-  - id: 2.1.5
-    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+  - id: 7.5
+    text: "Verify the OpenShift default setting for the read-only-port argumen"
    audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
@ -68,15 +68,15 @@ groups:
      Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
    scored: true

-  - id: 2.1.6
-    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+  - id: 7.6
+    text: "Adjust the streaming-connection-idle-timeout argument"
    audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
      test_items:
      - flag: "streaming-connection-idle-timeout"
        set: false
-      - flag: "0"
+      - flag: "5m"
        set: false
    remediation: |
      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
@ -87,13 +87,13 @@ groups:
           - "5m"
    scored: true

-  - id: 2.1.7
-    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+  - id: 7.7
+    text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
    type: "skip"
    scored: true

-  - id: 2.1.8
-    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+  - id: 7.8
+    text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
    audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
@ -110,8 +110,8 @@ groups:
      default value of true. 
    scored: true

-    id: 2.1.9
-    text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
+  - id: 7.9
+    text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
    audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
    tests:
      test_items:
@ -124,13 +124,13 @@ groups:
      Reset to the OpenShift defaults
    scored: true

-  - id: 2.1.10
-    text: "Ensure that the --hostname-override argument is not set (Scored)"
+  - id: 7.10
+    text: "Verify the OpenShift defaults for the hostname-override argument"
    type: "skip"
    scored: true

-  - id: 2.1.11
-    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+  - id: 7.11
+    text: "Set the --event-qps argument to 0"
    audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
@ -147,8 +147,8 @@ groups:
      the kubeletArguments section of.
    scored: true

-  - id: 2.1.12
-    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+  - id: 7.12
+    text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
    audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
    tests:
      test_items:
@ -161,8 +161,8 @@ groups:
      Reset to the OpenShift default values.
    scored: true

-  - id: 2.1.13
-    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+  - id: 7.13
+    text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
    audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
    tests:
      bin_op: or
@ -179,8 +179,8 @@ groups:
      if it is set in the  kubeletArguments section.
    scored: true

-  - id: 2.1.14
-    text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
+  - id: 7.14
+    text: "Verify that the RotateKubeletClientCertificate argument is set to true"
    audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
    tests:
      test_items:
@ -193,8 +193,8 @@ groups:
      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
    scored: true

-  - id: 2.1.15
-    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
+  - id: 7.15
+    text: "Verify that the RotateKubeletServerCertificate argument is set to true"
    audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
    test:
      test_items:
@ -208,11 +208,11 @@ groups:
    scored: true


- id: 2.2
+- id: 8
  text: "Configuration Files"
  checks:
-  - id: 2.2.1
-    text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
+  - id: 8.1
+    text: "Verify the OpenShift default permissions for the kubelet.conf file"
    audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
    tests:
      bin_op: or
@ -237,8 +237,8 @@ groups:
      chmod 644 /etc/origin/node/node.kubeconfig
    scored: true

-  - id: 2.2.2
-    text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
+  - id: 8.2
+    text: "Verify the kubeconfig file ownership of root:root"
    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
    tests:
      test_items:
@ -252,8 +252,8 @@ groups:
        chown root:root /etc/origin/node/node.kubeconfig
      scored: true

-  - id: 2.2.3
-    text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
+  - id: 8.3
+    text: "Verify the kubelet service file permissions of 644"
    audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
    tests:
      bin_op: or
@ -278,8 +278,8 @@ groups:
      chmod 644 /etc/systemd/system/atomic-openshift-node.service
    scored: true

-  - id: 2.2.4
-    text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
+  - id: 8.4
+    text: "Verify the kubelet service file ownership of root:root"
    audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
    tests:
      test_items:
@ -293,8 +293,8 @@ groups:
        chown root:root /etc/systemd/system/atomic-openshift-node.service
      scored: true

-  - id: 2.2.5
-    text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
+  - id: 8.5
+    text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
    audit: "stat -c %a /etc/origin/node/node.kubeconfig"
    tests:
      bin_op: or
@ -319,8 +319,8 @@ groups:
      chmod 644 /etc/origin/node/node.kubeconfig
    scored: true

-  - id: 2.2.6
-    text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
+  - id: 8.6
+    text: "Verify the proxy kubeconfig file ownership of root:root"
    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
    tests:
      test_items:
@ -334,8 +334,8 @@ groups:
        chown root:root /etc/origin/node/node.kubeconfig
      scored: true

-  - id: 2.2.7
-    text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
+  - id: 8.7
+    text: "Verify the OpenShift default permissions for the certificate authorities file."
    audit: "stat -c %a /etc/origin/node/client-ca.crt"
    tests:
      bin_op: or
@ -360,8 +360,8 @@ groups:
      chmod 644 /etc/origin/node/client-ca.crt
    scored: true

-  - id: 2.2.8
-    text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
+  - id: 8.8
+    text: "Verify the client certificate authorities file ownership of root:root"
    audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
    tests:
      test_items: