--- controls: version: "rh-0.7" id: 2 text: "Worker Node Security Configuration" type: "node" groups: - id: 7 text: "Kubelet" checks: - id: 7.1 text: "Use Security Context Constraints to manage privileged containers as needed" type: "skip" scored: true - id: 7.2 text: "Ensure anonymous-auth is not disabled" type: "skip" scored: true - id: 7.3 text: "Verify that the --authorization-mode argument is set to WebHook" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.authorization-mode}" set: false - path: "{.kubeletArguments.authorization-mode}" compare: op: has value: "Webhook" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". scored: true - id: 7.4 text: "Verify the OpenShift default for the client-ca-file argument" audit_config: "cat /etc/origin/node/node-config.yaml" tests: test_items: - path: "{.PodManifestConfig.client-ca-file}" set: false remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: grep -A1 client-ca-file /etc/origin/node/node-config.yaml Reset to the OpenShift default. See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 The config file does not have this defined in kubeletArgument, but in PodManifestConfig. scored: true - id: 7.5 text: "Verify the OpenShift default setting for the read-only-port argument" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.read-only-port}" set: false - path: "{.kubeletArguments.read-only-port}" compare: op: eq value: "0" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. scored: true - id: 7.6 text: "Adjust the streaming-connection-idle-timeout argument" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.streaming-connection-idle-timeout}" set: false - path: "{.kubeletArguments.streaming-connection-idle-timeout}" compare: op: eq value: "5m" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout value like the following in node-config.yaml. kubeletArguments:  streaming-connection-idle-timeout:    - "5m" scored: true - id: 7.7 text: "Verify the OpenShift defaults for the protect-kernel-defaults argument" type: "skip" scored: true - id: 7.8 text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.make-iptables-util-chains}" set: false - path: "{.kubeletArguments.make-iptables-util-chains}" compare: op: eq value: "true" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift default value of true. scored: true - id: 7.9 text: "Verify that the --keep-terminated-pod-volumes argument is set to false" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.keep-terminated-pod-volumes}" set: false - path: "{.kubeletArguments.keep-terminated-pod-volumes}" compare: op: eq value: "false" remediation: | Reset to the OpenShift defaults scored: true - id: 7.10 text: "Verify the OpenShift defaults for the hostname-override argument" type: "skip" scored: true - id: 7.11 text: "Set the --event-qps argument to 0" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.event-qps}" set: false - path: "{.kubeletArguments.event-qps}" compare: op: eq value: "0" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in the kubeletArguments section of. scored: true - id: 7.12 text: "Verify the OpenShift cert-dir flag for HTTPS traffic" audit_config: "cat /etc/origin/node/node-config.yaml" tests: test_items: - path: "{.kubeletArguments.cert-dir}" compare: op: has value: "/etc/origin/node/certificates" remediation: | Reset to the OpenShift default values. scored: true - id: 7.13 text: "Verify the OpenShift default of 0 for the cadvisor-port argument" audit_config: "cat /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - path: "{.kubeletArguments.cadvisor-port}" set: false - path: "{.kubeletArguments.cadvisor-port}" compare: op: eq value: "0" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag if it is set in the kubeletArguments section. scored: true - id: 7.14 text: "Verify that the RotateKubeletClientCertificate argument is set to true" audit_config: "cat /etc/origin/node/node-config.yaml" tests: test_items: - path: "{.kubeletArguments.feature-gates}" compare: op: has value: "RotateKubeletClientCertificate=true" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. scored: true - id: 7.15 text: "Verify that the RotateKubeletServerCertificate argument is set to true" audit_config: "cat /etc/origin/node/node-config.yaml" tests: test_items: - path: "{.kubeletArguments.feature-gates}" compare: op: has value: "RotateKubeletServerCertificate=true" remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. scored: true - id: 8 text: "Configuration Files" checks: - id: 8.1 text: "Verify the OpenShift default permissions for the kubelet.conf file" audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "permissions" compare: op: bitmask value: "644" remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig scored: true - id: 8.2 text: "Verify the kubeconfig file ownership of root:root" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "root:root" remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/node.kubeconfig scored: true - id: 8.3 text: "Verify the kubelet service file permissions of 644" audit: "stat -c permissions=%a $kubeletsvc" tests: test_items: - flag: "permissions" compare: op: bitmask value: "644" remediation: | Run the below command on each worker node. chmod 644 $kubeletsvc scored: true - id: 8.4 text: "Verify the kubelet service file ownership of root:root" audit: "stat -c %U:%G $kubeletsvc" tests: test_items: - flag: "root:root" remediation: | Run the below command on each worker node. chown root:root $kubeletsvc scored: true - id: 8.5 text: "Verify the OpenShift default permissions for the proxy kubeconfig file" audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "permissions" compare: op: bitmask value: "644" remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig scored: true - id: 8.6 text: "Verify the proxy kubeconfig file ownership of root:root" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "root:root" remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/node.kubeconfig scored: true - id: 8.7 text: "Verify the OpenShift default permissions for the certificate authorities file." audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt" tests: test_items: - flag: "permissions" compare: op: bitmask value: "644" remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/client-ca.crt scored: true - id: 8.8 text: "Verify the client certificate authorities file ownership of root:root" audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" tests: test_items: - flag: "root:root" remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/client-ca.crt scored: true