--- controls: id: 2 text: "Worker Node Security Configuration" type: "node" groups: - id: 2.1 text: "Kubelet" checks: - id: 2.1.1 text: "Ensure that the --allow-privileged argument is set to false (Scored)" type: "skip" scored: true - id: 2.1.2 text: "Ensure that the --anonymous-auth argument is set to false (Scored)" type: "skip" scored: true - id: 2.1.3 text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "authorization-mode" set: false - flag: "authorization-mode: Webhook" compare: op: has value: "Webhook" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". scored: true - id: 2.1.4 text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml" tests: test_items: - flag: "client-ca-file" set: false remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: grep -A1 client-ca-file /etc/origin/node/node-config.yaml Reset to the OpenShift default. See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 The config file does not have this defined in kubeletArgument, but in PodManifestConfig. scored: true - id: 2.1.5 text: "Ensure that the --read-only-port argument is set to 0 (Scored)" audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "read-only-port" set: false - flag: "read-only-port: 0" compare: op: has value: "0" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. scored: true - id: 2.1.6 text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "streaming-connection-idle-timeout" set: false - flag: "0" set: false remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout value like the following in node-config.yaml. kubeletArguments:  streaming-connection-idle-timeout:    - "5m" scored: true - id: 2.1.7 text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" type: "skip" scored: true - id: 2.1.8 text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "make-iptables-util-chains" set: false - flag: "make-iptables-util-chains: true" compare: op: has value: "true" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift default value of true. scored: true id: 2.1.9 text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)" audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" tests: test_items: - flag: "keep-terminated-pod-volumes: false" compare: op: has value: "false" set: true remediation: | Reset to the OpenShift defaults scored: true - id: 2.1.10 text: "Ensure that the --hostname-override argument is not set (Scored)" type: "skip" scored: true - id: 2.1.11 text: "Ensure that the --event-qps argument is set to 0 (Scored)" audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "event-qps" set: false - flag: "event-qps: 0" compare: op: has value: "0" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in the kubeletArguments section of. scored: true - id: 2.1.12 text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml" tests: test_items: - flag: "/etc/origin/node/certificates" compare: op: has value: "/etc/origin/node/certificates" set: true remediation: | Reset to the OpenShift default values. scored: true - id: 2.1.13 text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml" tests: bin_op: or test_items: - flag: "cadvisor-port" set: false - flag: "cadvisor-port: 0" compare: op: has value: "0" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag if it is set in the kubeletArguments section. scored: true - id: 2.1.14 text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)" audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml" tests: test_items: - flag: "RotateKubeletClientCertificate=true" compare: op: has value: "true" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. scored: true - id: 2.1.15 text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml" test: test_items: - flag: "RotateKubeletServerCertificate=true" compare: op: has value: "true" set: true remediation: | Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. scored: true - id: 2.2 text: "Configuration Files" checks: - id: 2.2.1 text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" audit: "stat -c %a /etc/origin/node/node.kubeconfig" tests: bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true - flag: "640" compare: op: eq value: "640" set: true - flag: "600" compare: op: eq value: "600" set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig scored: true - id: 2.2.2 text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "root:root" compare: op: eq value: root:root set: true remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/node.kubeconfig scored: true - id: 2.2.3 text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service" tests: bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true - flag: "640" compare: op: eq value: "640" set: true - flag: "600" compare: op: eq value: "600" set: true remediation: | Run the below command on each worker node. chmod 644 /etc/systemd/system/atomic-openshift-node.service scored: true - id: 2.2.4 text: "Ensure that the kubelet service file ownership is set to root:root (Scored)" audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service" tests: test_items: - flag: "root:root" compare: op: eq value: root:root set: true remediation: | Run the below command on each worker node. chown root:root /etc/systemd/system/atomic-openshift-node.service scored: true - id: 2.2.5 text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" audit: "stat -c %a /etc/origin/node/node.kubeconfig" tests: bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true - flag: "640" compare: op: eq value: "640" set: true - flag: "600" compare: op: eq value: "600" set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/node.kubeconfig scored: true - id: 2.2.6 text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" tests: test_items: - flag: "root:root" compare: op: eq value: root:root set: true remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/node.kubeconfig scored: true - id: 2.2.7 text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" audit: "stat -c %a /etc/origin/node/client-ca.crt" tests: bin_op: or test_items: - flag: "644" compare: op: eq value: "644" set: true - flag: "640" compare: op: eq value: "640" set: true - flag: "600" compare: op: eq value: "600" set: true remediation: | Run the below command on each worker node. chmod 644 /etc/origin/node/client-ca.crt scored: true - id: 2.2.8 text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" tests: test_items: - flag: "root:root" compare: op: eq value: root:root set: true remediation: | Run the below command on each worker node. chown root:root /etc/origin/node/client-ca.crt scored: true