mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-02 12:58:15 +00:00
887965d31f
* Add detected kubernetes version to controls * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function Now new Control function is expecting detected version argument. * Refactore NewControls function New Control function is expecting detected version argument. * Add detected kube version * add detecetedKubeVersion * Add detecetedKubeVersion * Add detectedKubeVersion * Add detecetedKubeVersion * Fix missing version * Change version Change version from 3.10 to rh-0.7 * fix version: "cis-1.5" * fix version: "cis-1.5" * fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.5" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6" * Fix version: "cis-1.6"
310 lines
11 KiB
YAML
310 lines
11 KiB
YAML
---
|
||
controls:
|
||
version: "rh-0.7"
|
||
id: 2
|
||
text: "Worker Node Security Configuration"
|
||
type: "node"
|
||
groups:
|
||
- id: 7
|
||
text: "Kubelet"
|
||
checks:
|
||
- id: 7.1
|
||
text: "Use Security Context Constraints to manage privileged containers as needed"
|
||
type: "skip"
|
||
scored: true
|
||
|
||
- id: 7.2
|
||
text: "Ensure anonymous-auth is not disabled"
|
||
type: "skip"
|
||
scored: true
|
||
|
||
- id: 7.3
|
||
text: "Verify that the --authorization-mode argument is set to WebHook"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.authorization-mode}"
|
||
set: false
|
||
- path: "{.kubeletArguments.authorization-mode}"
|
||
compare:
|
||
op: has
|
||
value: "Webhook"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
|
||
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
|
||
scored: true
|
||
|
||
- id: 7.4
|
||
text: "Verify the OpenShift default for the client-ca-file argument"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
test_items:
|
||
- path: "{.PodManifestConfig.client-ca-file}"
|
||
set: false
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
|
||
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
|
||
|
||
Reset to the OpenShift default.
|
||
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
|
||
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
|
||
scored: true
|
||
|
||
- id: 7.5
|
||
text: "Verify the OpenShift default setting for the read-only-port argument"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.read-only-port}"
|
||
set: false
|
||
- path: "{.kubeletArguments.read-only-port}"
|
||
compare:
|
||
op: eq
|
||
value: "0"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
|
||
scored: true
|
||
|
||
- id: 7.6
|
||
text: "Adjust the streaming-connection-idle-timeout argument"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.streaming-connection-idle-timeout}"
|
||
set: false
|
||
- path: "{.kubeletArguments.streaming-connection-idle-timeout}"
|
||
compare:
|
||
op: eq
|
||
value: "5m"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
|
||
value like the following in node-config.yaml.
|
||
|
||
kubeletArguments:
|
||
streaming-connection-idle-timeout:
|
||
- "5m"
|
||
scored: true
|
||
|
||
- id: 7.7
|
||
text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
|
||
type: "skip"
|
||
scored: true
|
||
|
||
- id: 7.8
|
||
text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.make-iptables-util-chains}"
|
||
set: false
|
||
- path: "{.kubeletArguments.make-iptables-util-chains}"
|
||
compare:
|
||
op: eq
|
||
value: "true"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
|
||
default value of true.
|
||
scored: true
|
||
|
||
- id: 7.9
|
||
text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.keep-terminated-pod-volumes}"
|
||
set: false
|
||
- path: "{.kubeletArguments.keep-terminated-pod-volumes}"
|
||
compare:
|
||
op: eq
|
||
value: "false"
|
||
remediation: |
|
||
Reset to the OpenShift defaults
|
||
scored: true
|
||
|
||
- id: 7.10
|
||
text: "Verify the OpenShift defaults for the hostname-override argument"
|
||
type: "skip"
|
||
scored: true
|
||
|
||
- id: 7.11
|
||
text: "Set the --event-qps argument to 0"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.event-qps}"
|
||
set: false
|
||
- path: "{.kubeletArguments.event-qps}"
|
||
compare:
|
||
op: eq
|
||
value: "0"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
|
||
the kubeletArguments section of.
|
||
scored: true
|
||
|
||
- id: 7.12
|
||
text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
test_items:
|
||
- path: "{.kubeletArguments.cert-dir}"
|
||
compare:
|
||
op: has
|
||
value: "/etc/origin/node/certificates"
|
||
remediation: |
|
||
Reset to the OpenShift default values.
|
||
scored: true
|
||
|
||
- id: 7.13
|
||
text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
bin_op: or
|
||
test_items:
|
||
- path: "{.kubeletArguments.cadvisor-port}"
|
||
set: false
|
||
- path: "{.kubeletArguments.cadvisor-port}"
|
||
compare:
|
||
op: eq
|
||
value: "0"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
|
||
if it is set in the kubeletArguments section.
|
||
scored: true
|
||
|
||
- id: 7.14
|
||
text: "Verify that the RotateKubeletClientCertificate argument is set to true"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
test_items:
|
||
- path: "{.kubeletArguments.feature-gates}"
|
||
compare:
|
||
op: has
|
||
value: "RotateKubeletClientCertificate=true"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
|
||
scored: true
|
||
|
||
- id: 7.15
|
||
text: "Verify that the RotateKubeletServerCertificate argument is set to true"
|
||
audit_config: "cat /etc/origin/node/node-config.yaml"
|
||
tests:
|
||
test_items:
|
||
- path: "{.kubeletArguments.feature-gates}"
|
||
compare:
|
||
op: has
|
||
value: "RotateKubeletServerCertificate=true"
|
||
remediation: |
|
||
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
|
||
scored: true
|
||
|
||
|
||
- id: 8
|
||
text: "Configuration Files"
|
||
checks:
|
||
- id: 8.1
|
||
text: "Verify the OpenShift default permissions for the kubelet.conf file"
|
||
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
|
||
tests:
|
||
test_items:
|
||
- flag: "permissions"
|
||
compare:
|
||
op: bitmask
|
||
value: "644"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chmod 644 /etc/origin/node/node.kubeconfig
|
||
scored: true
|
||
|
||
- id: 8.2
|
||
text: "Verify the kubeconfig file ownership of root:root"
|
||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||
tests:
|
||
test_items:
|
||
- flag: "root:root"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chown root:root /etc/origin/node/node.kubeconfig
|
||
scored: true
|
||
|
||
- id: 8.3
|
||
text: "Verify the kubelet service file permissions of 644"
|
||
audit: "stat -c permissions=%a $kubeletsvc"
|
||
tests:
|
||
test_items:
|
||
- flag: "permissions"
|
||
compare:
|
||
op: bitmask
|
||
value: "644"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chmod 644 $kubeletsvc
|
||
scored: true
|
||
|
||
- id: 8.4
|
||
text: "Verify the kubelet service file ownership of root:root"
|
||
audit: "stat -c %U:%G $kubeletsvc"
|
||
tests:
|
||
test_items:
|
||
- flag: "root:root"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chown root:root $kubeletsvc
|
||
scored: true
|
||
|
||
- id: 8.5
|
||
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
|
||
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
|
||
tests:
|
||
test_items:
|
||
- flag: "permissions"
|
||
compare:
|
||
op: bitmask
|
||
value: "644"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chmod 644 /etc/origin/node/node.kubeconfig
|
||
scored: true
|
||
|
||
- id: 8.6
|
||
text: "Verify the proxy kubeconfig file ownership of root:root"
|
||
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||
tests:
|
||
test_items:
|
||
- flag: "root:root"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chown root:root /etc/origin/node/node.kubeconfig
|
||
scored: true
|
||
|
||
- id: 8.7
|
||
text: "Verify the OpenShift default permissions for the certificate authorities file."
|
||
audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt"
|
||
tests:
|
||
test_items:
|
||
- flag: "permissions"
|
||
compare:
|
||
op: bitmask
|
||
value: "644"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chmod 644 /etc/origin/node/client-ca.crt
|
||
scored: true
|
||
|
||
- id: 8.8
|
||
text: "Verify the client certificate authorities file ownership of root:root"
|
||
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
|
||
tests:
|
||
test_items:
|
||
- flag: "root:root"
|
||
remediation: |
|
||
Run the below command on each worker node.
|
||
chown root:root /etc/origin/node/client-ca.crt
|
||
scored: true
|