arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 17:38:21 +00:00
Code Issues Releases Wiki Activity

Update ocp 3.11 (#849)

Browse Source 
* Add OCP auto-detection

* Add test for openshift

* update and fix bugs

update file to match with new kube-bench features and fix bugs

* Update file and fix bugs

update file to match with new kube-bench features and fix bugs

* Remove specific configs

Those configs could be set in main config.yaml

* Update to include openshift files

* fix typos

* fix typo

* Remove trailing spaces

* Update util.go

* Add tests for getOcpValidVersion
This commit is contained in:
Yoav Rotem 2021-03-24 18:06:54 +02:00 committed by GitHub
parent 0cb302761c
commit f2386c0386
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 284 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cfg/config.yaml
View File

@ -25,12 +25,15 @@ master:
- "hyperkube apiserver" - "hyperkube apiserver"
- "hyperkube kube-apiserver" - "hyperkube kube-apiserver"
- "apiserver" - "apiserver"
- "openshift start master api"
- "hypershift openshift-kube-apiserver"
confs: confs:
- /etc/kubernetes/manifests/kube-apiserver.yaml - /etc/kubernetes/manifests/kube-apiserver.yaml
- /etc/kubernetes/manifests/kube-apiserver.yml - /etc/kubernetes/manifests/kube-apiserver.yml
- /etc/kubernetes/manifests/kube-apiserver.manifest - /etc/kubernetes/manifests/kube-apiserver.manifest
- /var/snap/kube-apiserver/current/args - /var/snap/kube-apiserver/current/args
- /var/snap/microk8s/current/args/kube-apiserver - /var/snap/microk8s/current/args/kube-apiserver
- /etc/origin/master/master-config.yaml
defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
scheduler: scheduler:
@ -39,12 +42,14 @@ master:
- "hyperkube scheduler" - "hyperkube scheduler"
- "hyperkube kube-scheduler" - "hyperkube kube-scheduler"
- "scheduler" - "scheduler"
- "openshift start master controllers"
confs: confs:
- /etc/kubernetes/manifests/kube-scheduler.yaml - /etc/kubernetes/manifests/kube-scheduler.yaml
- /etc/kubernetes/manifests/kube-scheduler.yml - /etc/kubernetes/manifests/kube-scheduler.yml
- /etc/kubernetes/manifests/kube-scheduler.manifest - /etc/kubernetes/manifests/kube-scheduler.manifest
- /var/snap/kube-scheduler/current/args - /var/snap/kube-scheduler/current/args
- /var/snap/microk8s/current/args/kube-scheduler - /var/snap/microk8s/current/args/kube-scheduler
- /etc/origin/master/scheduler.json
defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
kubeconfig: kubeconfig:
- /etc/kubernetes/scheduler.conf - /etc/kubernetes/scheduler.conf
@ -57,6 +62,8 @@ master:
- "hyperkube controller-manager" - "hyperkube controller-manager"
- "hyperkube kube-controller-manager" - "hyperkube kube-controller-manager"
- "controller-manager" - "controller-manager"
- "openshift start master controllers"
- "hypershift openshift-controller-manager"
confs: confs:
- /etc/kubernetes/manifests/kube-controller-manager.yaml - /etc/kubernetes/manifests/kube-controller-manager.yaml
- /etc/kubernetes/manifests/kube-controller-manager.yml - /etc/kubernetes/manifests/kube-controller-manager.yml
@ -72,6 +79,7 @@ master:
optional: true optional: true
bins: bins:
- "etcd" - "etcd"
- "openshift start etcd"
confs: confs:
- /etc/kubernetes/manifests/etcd.yaml - /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml - /etc/kubernetes/manifests/etcd.yml
@ -81,7 +89,6 @@ master:
- /var/snap/etcd/common/etcd.conf.yaml - /var/snap/etcd/common/etcd.conf.yaml
- /var/snap/microk8s/current/args/etcd - /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service - /usr/lib/systemd/system/etcd.service
- /etc/kubernetes/manifests
defaultconf: /etc/kubernetes/manifests/etcd.yaml defaultconf: /etc/kubernetes/manifests/etcd.yaml
flanneld: flanneld:
@ -114,6 +121,8 @@ node:
- "/lib/systemd/system/kubelet.service" - "/lib/systemd/system/kubelet.service"
- "/etc/systemd/system/snap.kubelet.daemon.service" - "/etc/systemd/system/snap.kubelet.daemon.service"
- "/etc/systemd/system/snap.microk8s.daemon-kubelet.service" - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
- "/etc/systemd/system/atomic-openshift-node.service"
- "/etc/systemd/system/origin-node.service"
bins: bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
@ -121,13 +130,11 @@ node:
- "/etc/kubernetes/kubelet.conf" - "/etc/kubernetes/kubelet.conf"
- "/var/lib/kubelet/kubeconfig" - "/var/lib/kubelet/kubeconfig"
- "/etc/kubernetes/kubelet-kubeconfig" - "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet/kubeconfig"
- "/var/snap/microk8s/current/credentials/kubelet.config" - "/var/snap/microk8s/current/credentials/kubelet.config"
confs: confs:
- "/var/lib/kubelet/config.yaml" - "/var/lib/kubelet/config.yaml"
- "/var/lib/kubelet/config.yml" - "/var/lib/kubelet/config.yml"
- "/etc/kubernetes/kubelet/kubelet-config.json" - "/etc/kubernetes/kubelet/kubelet-config.json"
- "/etc/kubernetes/kubelet/config"
- "/home/kubernetes/kubelet-config.yaml" - "/home/kubernetes/kubelet-config.yaml"
- "/home/kubernetes/kubelet-config.yml" - "/home/kubernetes/kubelet-config.yml"
- "/etc/default/kubelet" - "/etc/default/kubelet"
@ -156,16 +163,15 @@ node:
- "hyperkube proxy" - "hyperkube proxy"
- "hyperkube kube-proxy" - "hyperkube kube-proxy"
- "proxy" - "proxy"
- "openshift start network"
confs: confs:
- /etc/kubernetes/proxy - /etc/kubernetes/proxy
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
- /etc/kubernetes/addons/kube-proxy-daemonset.yml - /etc/kubernetes/addons/kube-proxy-daemonset.yml
- /var/snap/kube-proxy/current/args - /var/snap/kube-proxy/current/args
- /var/snap/microk8s/current/args/kube-proxy - /var/snap/microk8s/current/args/kube-proxy
- /var/lib/kube-proxy/config.conf
kubeconfig: kubeconfig:
- "/etc/kubernetes/kubelet-kubeconfig" - "/etc/kubernetes/kubelet-kubeconfig"
- "/etc/kubernetes/kubelet/config"
- "/var/lib/kubelet/kubeconfig" - "/var/lib/kubelet/kubeconfig"
- "/var/snap/microk8s/current/credentials/proxy.config" - "/var/snap/microk8s/current/credentials/proxy.config"
svc: svc:

30
cfg/rh-0.7/config.yaml
View File

@ -1,32 +1,2 @@
--- ---
## Version-specific settings that override the values in cfg/config.yaml ## Version-specific settings that override the values in cfg/config.yaml
master:
apiserver:
bins:
- openshift start master api
- hypershift openshift-kube-apiserver
scheduler:
bins:
- "openshift start master controllers"
- "hyperkube kube-scheduler"
confs:
- /etc/origin/master/scheduler.json
controllermanager:
bins:
- "openshift start master controllers"
- "hypershift openshift-controller-manager"
etcd:
bins:
- openshift start etcd
node:
svcs:
- /etc/systemd/system/atomic-openshift-node.service
- /etc/systemd/system/origin-node.service
proxy:
bins:
- openshift start network

406
cfg/rh-0.7/master.yaml
View File

@ -16,13 +16,10 @@ groups:
- id: 1.2 - id: 1.2
text: "Verify that the basic-auth-file method is not enabled" text: "Verify that the basic-auth-file method is not enabled"
audit: "grep -A2 basic-auth-file /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "--basic-auth-file" - path: "{.kubernetesMasterConfig.apiServerArguments.basic-auth-file}"
compare:
op: eq
value: ""
set: false set: false
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml and Edit the kubernetes master config file /etc/origin/master/master-config.yaml and
@ -41,35 +38,27 @@ groups:
- id: 1.4 - id: 1.4
text: "Secure communications between the API server and master nodes" text: "Secure communications between the API server and master nodes"
audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "kubeletClientInfo:" - path: "{.kubeletClientInfo.ca}"
compare:
op: eq
value: "kubeletClientInfo:"
set: true
- flag: "ca"
compare: compare:
op: has op: has
value: "ca-bundle.crt" value: "ca-bundle.crt"
set: true - path: "{.kubeletClientInfo.certFile}"
- flag: "certFile"
compare: compare:
op: has op: has
value: "master.kubelet-client.crt" value: "master.kubelet-client.crt"
set: true - path: "{.kubeletClientInfo.keyFile}"
- flag: "keyFile"
compare: compare:
op: has op: has
value: "master.kubelet-client.key" value: "master.kubelet-client.key"
set: true set: true
- flag: "port: 10250" - path: "{.kubeletClientInfo.port}"
compare: compare:
op: eq op: eq
value: "port: 10250" value: "10250"
set: true
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
and change it to match the below. and change it to match the below.
@ -83,10 +72,10 @@ groups:
- id: 1.5 - id: 1.5
text: "Prevent insecure bindings" text: "Prevent insecure bindings"
audit: "grep -A2 insecure-bind-address /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "insecure-bind-address" - path: "{.kubernetesMasterConfig.insecure-bind-address}"
set: false set: false
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
@ -100,10 +89,10 @@ groups:
- id: 1.6 - id: 1.6
text: "Prevent insecure port access" text: "Prevent insecure port access"
audit: "grep -A2 insecure-port /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "insecure-port" - path: "{.kubernetesMasterConfig.apiServerArguments.insecure-port}"
set: false set: false
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
@ -117,17 +106,16 @@ groups:
- id: 1.7 - id: 1.7
text: "Use Secure Ports for API Server Traffic" text: "Use Secure Ports for API Server Traffic"
audit: "grep -A2 secure-port /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "secure-port" - path: "{.kubernetesMasterConfig.apiServerArguments.secure-port}"
set: false set: false
- flag: "secure-port" - path: "{.kubernetesMasterConfig.apiServerArguments.secure-port}"
compare: compare:
op: nothave op: noteq
value: "0" value: "0"
set: true
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
and either remove the secure-port parameter or set it to a different (non-zero) and either remove the secure-port parameter or set it to a different (non-zero)
@ -146,17 +134,16 @@ groups:
- id: 1.9 - id: 1.9
text: "Verify repair-malformed-updates argument for API compatibility" text: "Verify repair-malformed-updates argument for API compatibility"
audit: "grep -A2 repair-malformed-updates /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "repair-malformed-updates" - path: "{.repair-malformed-updates}"
set: false set: false
- flag: "repair-malformed-updates" - path: "{.repair-malformed-updates}"
compare: compare:
op: has op: eq
value: "true" value: "true"
set: true
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
and remove the repair-malformed-updates entry or set repair-malformed-updates=true. and remove the repair-malformed-updates entry or set repair-malformed-updates=true.
@ -164,10 +151,10 @@ groups:
- id: 1.10 - id: 1.10
text: "Verify that the AlwaysAdmit admission controller is disabled" text: "Verify that the AlwaysAdmit admission controller is disabled"
audit: "grep -A4 AlwaysAdmit /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "AlwaysAdmit" - path: "{.AlwaysAdmit}"
set: false set: false
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
@ -182,14 +169,13 @@ groups:
- id: 1.11 - id: 1.11
text: "Manage the AlwaysPullImages admission controller" text: "Manage the AlwaysPullImages admission controller"
audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "disable" - path: "{.admissionConfig.pluginConfig.configuration.disable}"
compare: compare:
op: has op: eq
value: "false" value: "false"
set: true
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
and add the entry below. and add the entry below.
@ -215,10 +201,10 @@ groups:
- id: 1.14 - id: 1.14
text: "Manage the NamespaceLifecycle admission controller" text: "Manage the NamespaceLifecycle admission controller"
audit: "grep -A4 NamespaceLifecycle /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "NamespaceLifecycle" - path: "{.NamespaceLifecycle}"
set: false set: false
remediation: | remediation: |
Edit the kubernetes master config file /etc/origin/master/master-config.yaml Edit the kubernetes master config file /etc/origin/master/master-config.yaml
@ -233,14 +219,13 @@ groups:
- id: 1.15 - id: 1.15
text: "Configure API server auditing - audit log file path" text: "Configure API server auditing - audit log file path"
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "enabled" - path: "{.auditConfig.enabled}"
compare: compare:
op: has op: eq
value: "true" value: "true"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server. Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server.
@ -257,14 +242,13 @@ groups:
- id: 1.16 - id: 1.16
text: "Configure API server auditing - audit log retention" text: "Configure API server auditing - audit log retention"
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "maximumFileRetentionDays: 30" - path: "{.auditConfig.maximumFileRetentionDays}"
compare: compare:
op: has op: gte
value: "maximumFileRetentionDays" value: 30
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml, Edit the Openshift master config file /etc/origin/master/master-config.yaml,
update the maximumFileRetentionDays entry and restart the API server. update the maximumFileRetentionDays entry and restart the API server.
@ -282,14 +266,13 @@ groups:
- id: 1.17 - id: 1.17
text: "Configure API server auditing - audit log backup retention" text: "Configure API server auditing - audit log backup retention"
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "maximumRetainedFiles: 10" - path: "{.auditConfig.maximumRetainedFiles}"
compare: compare:
op: has op: eq
value: "maximumRetainedFiles" value: "10"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry,
set enabled to true and restart the API server. set enabled to true and restart the API server.
@ -307,14 +290,13 @@ groups:
- id: 1.18 - id: 1.18
text: "Configure audit log file size" text: "Configure audit log file size"
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "maximumFileSizeMegabytes: 30" - path: "{.auditConfig.maximumFileSizeMegabytes}"
compare: compare:
op: has op: eq
value: "maximumFileSizeMegabytes" value: "30"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry,
set enabled to true and restart the API server. set enabled to true and restart the API server.
@ -332,10 +314,10 @@ groups:
- id: 1.19 - id: 1.19
text: "Verify that authorization-mode is not set to AlwaysAllow" text: "Verify that authorization-mode is not set to AlwaysAllow"
audit: "grep -A1 authorization-mode /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "authorization-mode" - path: "{.kubernetesMasterConfig.apiServerArguments.authorization-mode}"
set: false set: false
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode
@ -349,10 +331,10 @@ groups:
- id: 1.20 - id: 1.20
text: "Verify that the token-auth-file flag is not set" text: "Verify that the token-auth-file flag is not set"
audit: "grep token-auth-file /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "token-auth-file" - path: "{.kubernetesMasterConfig.apiServerArguments.token-auth-file}"
set: false set: false
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file
@ -366,10 +348,10 @@ groups:
- id: 1.21 - id: 1.21
text: "Verify the API server certificate authority" text: "Verify the API server certificate authority"
audit: "grep -A1 kubelet-certificate-authority /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "kubelet-certificate-authority" - path: "{.kubernetesMasterConfig.apiServerArguments.kubelet-certificat-authority}"
set: false set: false
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following
@ -383,20 +365,18 @@ groups:
- id: 1.22 - id: 1.22
text: "Verify the API server client certificate and client key" text: "Verify the API server client certificate and client key"
audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "keyFile" - path: "{.kubeletClientInfo. keyFile}"
compare: compare:
op: has op: eq
value: "master.kubelet-client.key" value: "master.kubelet-client.key"
set: true - path: "{.kubeletClientInfo.certFile}"
- flag: "certFile"
compare: compare:
op: has op: eq
value: "master.kubelet-client.crt" value: "master.kubelet-client.crt"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
configuration under kubeletClientInfo configuration under kubeletClientInfo
@ -420,20 +400,18 @@ groups:
- id: 1.25 - id: 1.25
text: "Verify that the service account key file argument is not set" text: "Verify that the service account key file argument is not set"
audit: "grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "privateKeyFile" - path: "{.serviceAccountConfig.privateKeyFile}"
compare: compare:
op: has op: eq
value: "serviceaccounts.private.key" value: "serviceaccounts.private.key"
set: true - path: "{.serviceAccountConfig. publicKeyFiles}"
- flag: "serviceaccounts.public.key"
compare: compare:
op: has op: eq
value: "serviceaccounts.public.key" value: "serviceaccounts.public.key"
set: true
remediation: | remediation: |
OpenShift API server does not use the service-account-key-file argument. OpenShift API server does not use the service-account-key-file argument.
Even if value is set in master-config.yaml, it will not be used to verify Even if value is set in master-config.yaml, it will not be used to verify
@ -460,20 +438,18 @@ groups:
- id: 1.26 - id: 1.26
text: "Verify the certificate and key used for communication with etcd" text: "Verify the certificate and key used for communication with etcd"
audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "certFile" - path: "{.etcdClientInfo.certFile}"
compare: compare:
op: has op: eq
value: "master.etcd-client.crt" value: "master.etcd-client.crt"
set: true - path: "{.etcdClientInfo.keyFile}"
- flag: "keyFile"
compare: compare:
op: has op: eq
value: "master.etcd-client.key" value: "master.etcd-client.key"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
under etcdClientInfo like below. under etcdClientInfo like below.
@ -486,17 +462,16 @@ groups:
- id: 1.27 - id: 1.27
text: "Verify that the ServiceAccount admission controller is enabled" text: "Verify that the ServiceAccount admission controller is enabled"
audit: "grep -A4 ServiceAccount /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "ServiceAccount" - path: "{.ServiceAccount.configuration.disable}"
set: false set: false
- flag: "disable" - path: "{.ServiceAccount.configuration.disable}"
compare: compare:
op: has op: eq
value: "false" value: "false"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
admission control policy. admission control policy.
@ -510,20 +485,18 @@ groups:
- id: 1.28 - id: 1.28
text: "Verify the certificate and key used to encrypt API server traffic" text: "Verify the certificate and key used to encrypt API server traffic"
audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "certFile" - path: "{.servingInfo.certFile}"
compare: compare:
op: has op: eq
value: "master.server.crt" value: "master.server.crt"
set: true - path: "{.servingInfo.keyFile}"
- flag: "keyFile"
compare: compare:
op: has op: eq
value: "master.server.key" value: "master.server.key"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
@ -539,10 +512,10 @@ groups:
- id: 1.29 - id: 1.29
text: "Verify that the --client-ca-file argument is not set" text: "Verify that the --client-ca-file argument is not set"
audit: "grep client-ca-file /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "clientCA: ca.crt" - path: "{.servingInfo.clientCA}"
set: false set: false
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo.
@ -559,14 +532,13 @@ groups:
- id: 1.30 - id: 1.30
text: "Verify the CA used for communication with etcd" text: "Verify the CA used for communication with etcd"
audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "ca" - path: "{.etcdClientInfo.ca}"
compare: compare:
op: has op: eq
value: "master.etcd-ca.crt" value: "master.etcd-ca.crt"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
@ -583,17 +555,16 @@ groups:
- id: 1.32 - id: 1.32
text: "Verify that the NodeRestriction admission controller is enabled" text: "Verify that the NodeRestriction admission controller is enabled"
audit: "grep -A4 NodeRestriction /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "NodeRestriction" - path: "{.NodeRestriction.configuration.disable}"
set: false set: false
- flag: "disable" - path: "{.NodeRestriction.configuration.disable}"
compare: compare:
op: has op: eq
value: "false" value: "false"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
@ -606,14 +577,10 @@ groups:
- id: 1.33 - id: 1.33
text: "Configure encryption of data at rest in etcd datastore" text: "Configure encryption of data at rest in etcd datastore"
audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "experimental-encryption-provider-config:" - path: "{.kubernetesMasterConfig.apiServerArguments.experimental-encryption-provider-config}"
compare:
op: has
value: "experimental-encryption-provider-config:"
set: true
remediation: | remediation: |
Follow the instructions in the documentation to configure encryption. Follow the instructions in the documentation to configure encryption.
https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html
@ -621,14 +588,14 @@ groups:
- id: 1.34 - id: 1.34
text: "Set the encryption provider to aescbc for etcd data at rest" text: "Set the encryption provider to aescbc for etcd data at rest"
audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs grep -A1 providers"
audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat"
tests: tests:
test_items: test_items:
- flag: "aescbc:" - path: "{.providers.aescbc.experimental-encryption-provider-config}"
compare: compare:
op: has op: has
value: "aescbc:" value: "aescbc"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html. See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
@ -636,14 +603,13 @@ groups:
- id: 1.35 - id: 1.35
text: "Enable the EventRateLimit plugin" text: "Enable the EventRateLimit plugin"
audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "disable" - path: "{.admissionConfig.pluginConfig.AlwaysPullImages.configuration.disable}"
compare: compare:
op: has op: eq
value: "false" value: "false"
set: true
remediation: | remediation: |
Follow the documentation to enable the EventRateLimit plugin. Follow the documentation to enable the EventRateLimit plugin.
https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules
@ -651,16 +617,15 @@ groups:
- id: 1.36 - id: 1.36
text: "Configure advanced auditing" text: "Configure advanced auditing"
audit: "grep AdvancedAuditing /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "AdvancedAuditing" - path: "{.kubernetesMasterConfig.apiServerArguments.feature-gates.AdvancedAuditing}"
compare: compare:
op: eq op: eq
value: "true" value: "true"
set: true - path: "{.kubernetesMasterConfig.apiServerArguments.feature-gates.AdvancedAuditing}"
- flag: "AdvancedAuditing"
set: false set: false
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing, Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing,
@ -696,14 +661,13 @@ groups:
checks: checks:
- id: 3.1 - id: 3.1
text: "Adjust the terminated-pod-gc-threshold argument as needed" text: "Adjust the terminated-pod-gc-threshold argument as needed"
audit: "grep terminated-pod-gc-threshold -A1 /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "terminated-pod-gc-threshold:" - path: "{.kubernetesMasterConfig.controllerArguments.terminated-pod-gc-threshold}"
compare: compare:
op: has op: eq
value: "12500" value: "12500"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold. Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold.
@ -722,17 +686,16 @@ groups:
- id: 3.3 - id: 3.3
text: "Verify that the --use-service-account-credentials argument is set to true" text: "Verify that the --use-service-account-credentials argument is set to true"
audit: "grep -A2 use-service-account-credentials /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "use-service-account-credentials" - path: "{.kubernetesMasterConfig.controllerArguments.use-service-account-credentials}"
set: false set: false
- flag: "true" - path: "{.kubernetesMasterConfig.controllerArguments.use-service-account-credentials}"
compare: compare:
op: has op: eq
value: "true" value: "true"
set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials
to true under controllerArguments section. to true under controllerArguments section.
@ -743,45 +706,45 @@ groups:
    - true     - true
scored: true scored: true
# Review 3.4
- id: 3.4 - id: 3.4
text: "Verify that the --service-account-private-key-file argument is set as appropriate" text: "Verify that the --service-account-private-key-file argument is set as appropriate"
audit: | audit: |
grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile;
grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml
audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "privateKeyFile: serviceaccounts.private.key" - flag: "privateKeyFile: serviceaccounts.private.key"
path: "{.serviceAccountConfig.privateKeyFile}"
compare: compare:
op: has op: eq
value: "privateKeyFile" value: "serviceaccounts.private.key"
- flag: "service-account-private-key-file" - flag: "service-account-private-key-file"
set: false set: false
remediation: remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file
scored: true scored: true
# Review 3.5
- id: 3.5 - id: 3.5
text: "Verify that the --root-ca-file argument is set as appropriate" text: "Verify that the --root-ca-file argument is set as appropriate"
audit: "/bin/sh -c 'grep root-ca-file /etc/origin/master/master-config.yaml; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml'" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "root-ca-file=/etc/origin/master/ca-bundle.crt" - path: "{.serviceAccountConfig.root-ca-file}"
compare: compare:
op: has op: eq
value: "/etc/origin/master/ca-bundle.crt" value: "/etc/origin/master/ca-bundle.crt"
set: true - path: "{.serviceAccountConfig.masterCA}"
- flag: "masterCA"
compare: compare:
op: has op: eq
value: "ca-bundle.crt" value: "ca-bundle.crt"
set: true remediation: |
remediation:
Reset to OpenShift defaults OpenShift starts kube-controller-manager with Reset to OpenShift defaults OpenShift starts kube-controller-manager with
root-ca-file=/etc/origin/master/ca-bundle.crt by default.  OpenShift Advanced root-ca-file=/etc/origin/master/ca-bundle.crt by default. OpenShift Advanced
Installation creates this certificate authority and configuration without any Installation creates this certificate authority and configuration without any
configuration required. configuration required.
@ -795,15 +758,14 @@ groups:
- id: 3.7 - id: 3.7
text: "Manage certificate rotation" text: "Manage certificate rotation"
audit: "grep -B3 RotateKubeletServerCertificate=true /etc/origin/master/master-config.yaml" audit_config: "cat /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - path: "{.kubeletArguments.feature-gates.RotateKubeletServerCertificate}"
compare: compare:
op: eq op: eq
value: "true" value: "true"
set: true remediation: |
remediation:
If you decide not to enable the RotateKubeletServerCertificate feature, If you decide not to enable the RotateKubeletServerCertificate feature,
be sure to use the Ansible playbooks provided with the OpenShift installer to be sure to use the Ansible playbooks provided with the OpenShift installer to
automate re-deploying certificates. automate re-deploying certificates.
@ -822,7 +784,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -835,10 +796,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -854,7 +811,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -867,10 +823,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -886,7 +838,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -899,10 +850,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -918,7 +865,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -931,10 +877,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -944,13 +886,13 @@ groups:
- id: 4.9 - id: 4.9
text: "Verify the default OpenShift Container Network Interface file permissions" text: "Verify the default OpenShift Container Network Interface file permissions"
audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/" audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/"
use_multiple_values: true
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -960,13 +902,10 @@ groups:
- id: 4.10 - id: 4.10
text: "Verify the default OpenShift Container Network Interface file ownership" text: "Verify the default OpenShift Container Network Interface file ownership"
audit: "stat -c %U:%G /etc/origin/openvswitch/ /etc/cni/net.d/" audit: "stat -c %U:%G /etc/origin/openvswitch/ /etc/cni/net.d/"
use_multiple_values: true
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -982,7 +921,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "700" value: "700"
set: true
remediation: | remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir , On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command: from the below command:
@ -997,10 +935,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "etcd:etcd" - flag: "etcd:etcd"
compare:
op: eq
value: "etcd:etcd"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -1016,7 +950,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -1029,10 +962,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -1048,7 +977,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -1061,10 +989,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command on the master node. Run the below command on the master node.
@ -1080,7 +1004,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command. Run the below command.
@ -1114,40 +1037,29 @@ groups:
bin_op: and bin_op: and
test_items: test_items:
- flag: "Binary file /proc/1/environ matches" - flag: "Binary file /proc/1/environ matches"
- flag: "ETCD_CERT_FILE"
compare: compare:
op: has op: eq
value: "Binary file /proc/1/environ matches" value: "/etc/etcd/server.crt"
set: true - flag: "ETCD_KEY_FILE"
- flag: "ETCD_CERT_FILE=/etc/etcd/server.crt"
compare: compare:
op: has op: eq
value: "ETCD_CERT_FILE=/etc/etcd/server.crt" value: "/etc/etcd/server.key"
set: true
- flag: "ETCD_KEY_FILE=/etc/etcd/server.key"
compare:
op: has
value: "ETCD_KEY_FILE=/etc/etcd/server.key"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
- id: 5.2 - id: 5.2
text: "Verify the default OpenShift setting for the client-cert-auth argument" text: "Verify the default OpenShift setting for the client-cert-auth argument"
audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "Binary file /proc/1/environ matches" - flag: "Binary file /proc/1/environ matches"
- flag: "ETCD_CLIENT_CERT_AUTH"
compare: compare:
op: has op: eq
value: "Binary file /proc/1/environ matches" value: "true"
set: true
- flag: "ETCD_CLIENT_CERT_AUTH=true"
compare:
op: has
value: "ETCD_CLIENT_CERT_AUTH=true"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
@ -1158,41 +1070,29 @@ groups:
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "ETCD_AUTO_TLS=false" - flag: "ETCD_AUTO_TLS"
compare: compare:
op: has op: eq
value: "ETCD_AUTO_TLS=false" value: "false"
set: true
- flag: "#ETCD_AUTO_TLS"
compare:
op: has
value: "#ETCD_AUTO_TLS"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
- id: 5.4 - id: 5.4
text: "Verify the OpenShift default peer-cert-file and peer-key-file arguments for etcd" text: "Verify the OpenShift default peer-cert-file and peer-key-file arguments for etcd"
audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'" audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "Binary file /proc/1/environ matches" - flag: "Binary file /proc/1/environ matches"
- flag: "ETCD_PEER_CERT_FILE"
compare: compare:
op: has op: eq
value: "Binary file /proc/1/environ matches" value: "/etc/etcd/peer.crt"
set: true - flag: "ETCD_PEER_KEY_FILE"
- flag: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt"
compare: compare:
op: has op: eq
value: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt" value: "/etc/etcd/peer.key"
set: true
- flag: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
compare:
op: has
value: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
@ -1204,15 +1104,10 @@ groups:
bin_op: and bin_op: and
test_items: test_items:
- flag: "Binary file /proc/1/environ matches" - flag: "Binary file /proc/1/environ matches"
- flag: "ETCD_PEER_CLIENT_CERT_AUTH"
compare: compare:
op: has op: eq
value: "Binary file /proc/1/environ matches" value: "true"
set: true
- flag: "ETCD_PEER_CLIENT_CERT_AUTH=true"
compare:
op: has
value: "ETCD_PEER_CLIENT_CERT_AUTH=true"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
@ -1221,18 +1116,11 @@ groups:
text: "Verify the OpenShift default configuration for the peer-auto-tls argument" text: "Verify the OpenShift default configuration for the peer-auto-tls argument"
audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'" audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "Binary file /proc/1/environ matches" - flag: "ETCD_PEER_AUTO_TLS"
compare: compare:
op: has op: noteq
value: "Binary file /proc/1/environ matches" value: "true"
set: true
- flag: "#ETCD_PEER_AUTO_TLS=false"
compare:
op: has
value: "#ETCD_PEER_AUTO_TLS=false"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: true scored: true
@ -1253,10 +1141,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "issuer= /CN=etcd-signer" - flag: "issuer= /CN=etcd-signer"
compare:
op: has
value: "issuer= /CN=etcd-signer"
set: true
remediation: | remediation: |
Reset to the OpenShift default configuration. Reset to the OpenShift default configuration.
scored: false scored: false

114
cfg/rh-0.7/node.yaml
View File

@ -19,17 +19,16 @@ groups:
- id: 7.3 - id: 7.3
text: "Verify that the --authorization-mode argument is set to WebHook" text: "Verify that the --authorization-mode argument is set to WebHook"
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "authorization-mode" - path: "{.kubeletArguments.authorization-mode}"
set: false set: false
- flag: "authorization-mode" - path: "{.kubeletArguments.authorization-mode}"
compare: compare:
op: has op: has
value: "Webhook" value: "Webhook"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
@ -37,10 +36,10 @@ groups:
- id: 7.4 - id: 7.4
text: "Verify the OpenShift default for the client-ca-file argument" text: "Verify the OpenShift default for the client-ca-file argument"
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "client-ca-file" - path: "{.PodManifestConfig.client-ca-file}"
set: false set: false
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
@ -53,31 +52,32 @@ groups:
- id: 7.5 - id: 7.5
text: "Verify the OpenShift default setting for the read-only-port argument" text: "Verify the OpenShift default setting for the read-only-port argument"
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "read-only-port" - path: "{.kubeletArguments.read-only-port}"
set: false set: false
- flag: "read-only-port" - path: "{.kubeletArguments.read-only-port}"
compare: compare:
op: has op: eq
value: "0" value: "0"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true scored: true
- id: 7.6 - id: 7.6
text: "Adjust the streaming-connection-idle-timeout argument" text: "Adjust the streaming-connection-idle-timeout argument"
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "streaming-connection-idle-timeout" - path: "{.kubeletArguments.streaming-connection-idle-timeout}"
set: false
- flag: "5m"
set: false set: false
- path: "{.kubeletArguments.streaming-connection-idle-timeout}"
compare:
op: eq
value: "5m"
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
value like the following in node-config.yaml. value like the following in node-config.yaml.
@ -94,17 +94,16 @@ groups:
- id: 7.8 - id: 7.8
text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument" text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "make-iptables-util-chains" - path: "{.kubeletArguments.make-iptables-util-chains}"
set: false set: false
- flag: "make-iptables-util-chains" - path: "{.kubeletArguments.make-iptables-util-chains}"
compare: compare:
op: has op: eq
value: "true" value: "true"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
default value of true. default value of true.
@ -112,14 +111,16 @@ groups:
- id: 7.9 - id: 7.9
text: "Verify that the --keep-terminated-pod-volumes argument is set to false" text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "keep-terminated-pod-volumes" - path: "{.kubeletArguments.keep-terminated-pod-volumes}"
set: false
- path: "{.kubeletArguments.keep-terminated-pod-volumes}"
compare: compare:
op: has op: eq
value: "false" value: "false"
set: true
remediation: | remediation: |
Reset to the OpenShift defaults Reset to the OpenShift defaults
scored: true scored: true
@ -131,17 +132,16 @@ groups:
- id: 7.11 - id: 7.11
text: "Set the --event-qps argument to 0" text: "Set the --event-qps argument to 0"
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "event-qps" - path: "{.kubeletArguments.event-qps}"
set: false set: false
- flag: "event-qps" - path: "{.kubeletArguments.event-qps}"
compare: compare:
op: has op: eq
value: "0" value: "0"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
the kubeletArguments section of. the kubeletArguments section of.
@ -149,31 +149,29 @@ groups:
- id: 7.12 - id: 7.12
text: "Verify the OpenShift cert-dir flag for HTTPS traffic" text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "/etc/origin/node/certificates" - path: "{.kubeletArguments.cert-dir}"
compare: compare:
op: has op: has
value: "/etc/origin/node/certificates" value: "/etc/origin/node/certificates"
set: true
remediation: | remediation: |
Reset to the OpenShift default values. Reset to the OpenShift default values.
scored: true scored: true
- id: 7.13 - id: 7.13
text: "Verify the OpenShift default of 0 for the cadvisor-port argument" text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
- flag: "cadvisor-port" - path: "{.kubeletArguments.cadvisor-port}"
set: false set: false
- flag: "cadvisor-port" - path: "{.kubeletArguments.cadvisor-port}"
compare: compare:
op: has op: eq
value: "0" value: "0"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
if it is set in the kubeletArguments section. if it is set in the kubeletArguments section.
@ -181,28 +179,26 @@ groups:
- id: 7.14 - id: 7.14
text: "Verify that the RotateKubeletClientCertificate argument is set to true" text: "Verify that the RotateKubeletClientCertificate argument is set to true"
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletClientCertificate=true" - path: "{.kubeletArguments.feature-gates}"
compare: compare:
op: has op: has
value: "true" value: "RotateKubeletClientCertificate=true"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true scored: true
- id: 7.15 - id: 7.15
text: "Verify that the RotateKubeletServerCertificate argument is set to true" text: "Verify that the RotateKubeletServerCertificate argument is set to true"
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" audit_config: "cat /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate=true" - path: "{.kubeletArguments.feature-gates}"
compare: compare:
op: has op: has
value: "true" value: "RotateKubeletServerCertificate=true"
set: true
remediation: | remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
scored: true scored: true
@ -220,7 +216,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
@ -232,10 +227,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
@ -243,32 +234,27 @@ groups:
- id: 8.3 - id: 8.3
text: "Verify the kubelet service file permissions of 644" text: "Verify the kubelet service file permissions of 644"
audit: "stat -c permissions=%a $nodesvc" audit: "stat -c permissions=%a $kubeletsvc"
tests: tests:
test_items: test_items:
- flag: "permissions" - flag: "permissions"
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 $nodesvc chmod 644 $kubeletsvc
scored: true scored: true
- id: 8.4 - id: 8.4
text: "Verify the kubelet service file ownership of root:root" text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G $nodesvc" audit: "stat -c %U:%G $kubeletsvc"
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root $nodesvc chown root:root $kubeletsvc
scored: true scored: true
- id: 8.5 - id: 8.5
@ -280,7 +266,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig chmod 644 /etc/origin/node/node.kubeconfig
@ -292,10 +277,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig chown root:root /etc/origin/node/node.kubeconfig
@ -310,7 +291,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt chmod 644 /etc/origin/node/client-ca.crt
@ -322,10 +302,6 @@ groups:
tests: tests:
test_items: test_items:
- flag: "root:root" - flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the below command on each worker node. Run the below command on each worker node.
chown root:root /etc/origin/node/client-ca.crt chown root:root /etc/origin/node/client-ca.crt

49
cmd/util.go
View File

@ -428,6 +428,12 @@ These program names are provided in the config.yaml, section '%s.%s.bins'
} }
func getPlatformName() string { func getPlatformName() string {
openShiftVersion := getOpenShiftVersion()
if openShiftVersion != ""{
return openShiftVersion
}
kv, err := getKubeVersion() kv, err := getKubeVersion()
if err != nil { if err != nil {
glog.V(2).Info(err) glog.V(2).Info(err)
@ -446,11 +452,54 @@ func getPlatformNameFromVersion(s string) string {
} }
func getPlatformBenchmarkVersion(platform string) string { func getPlatformBenchmarkVersion(platform string) string {
glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
switch platform { switch platform {
case "eks": case "eks":
return "eks-1.0" return "eks-1.0"
case "gke": case "gke":
return "gke-1.0" return "gke-1.0"
case "ocp-3.10":
return "rh-0.7"
} }
return "" return ""
} }
func getOpenShiftVersion() string{
glog.V(1).Info("Checking for oc")
_, err := exec.LookPath("oc")
if err == nil {
cmd := exec.Command("oc", "version")
out, err := cmd.CombinedOutput()
if err == nil {
versionRe := regexp.MustCompile(`oc v(\d+\.\d+)`)
subs := versionRe.FindStringSubmatch(string(out))
if len(subs) > 1 {
glog.V(2).Infof("OCP output '%s' \nplatform is %s \nocp %v",string(out),getPlatformNameFromVersion(string(out)),subs[1])
ocpBenchmarkVersion, err := getOcpValidVersion(subs[1])
if err == nil{
return fmt.Sprintf("ocp-%s", ocpBenchmarkVersion)
}
}
}
}
return ""
}
func getOcpValidVersion(ocpVer string) (string, error) {
ocpOriginal := ocpVer
for (!isEmpty(ocpVer)) {
glog.V(3).Info(fmt.Sprintf("getOcpBenchmarkVersion check for ocp: %q \n", ocpVer))
if ocpVer == "3.10"{
glog.V(1).Info(fmt.Sprintf("getOcpBenchmarkVersion found valid version for ocp: %q \n", ocpVer))
return ocpVer, nil
}
ocpVer = decrementVersion(ocpVer)
}
glog.V(1).Info(fmt.Sprintf("getOcpBenchmarkVersion unable to find a match for: %q", ocpOriginal))
return "", fmt.Errorf("unable to find a matching Benchmark Version match for ocp version: %s", ocpOriginal)
}

34
cmd/util_test.go
View File

@ -593,6 +593,13 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
}, },
want: "", want: "",
}, },
{
name: "open shift",
args: args{
platform: "ocp-3.10",
},
want: "rh-0.7",
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -602,3 +609,30 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
}) })
} }
} }
func Test_getOcpValidVersion(t *testing.T) {
cases := []struct {
openShiftVersion string
succeed bool
exp string
}{
{openShiftVersion: "3.11", succeed: true, exp: "3.10"},
{openShiftVersion: "3.10", succeed: true, exp: "3.10"},
{openShiftVersion: "2.9", succeed: false, exp: ""},
{openShiftVersion: "4.1", succeed: false, exp: ""},
{openShiftVersion: "invalid", succeed: false, exp: ""},
}
for _, c := range cases {
ocpVer,_ := getOcpValidVersion(c.openShiftVersion)
if c.succeed {
if c.exp != ocpVer {
t.Fatalf("getOcpValidVersion(%q) - Got %q expected %s", c.openShiftVersion, ocpVer, c.exp)
}
} else {
if len(ocpVer) > 0 {
t.Fatalf("getOcpValidVersion(%q) - Expected empty string but Got %s", c.openShiftVersion, ocpVer)
}
}
}
}