1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-30 10:28:09 +00:00
kube-bench/cfg/rh-0.7/node.yaml
Yoav Rotem 887965d31f
Add detected kubernetes version (#869)
* Add detected kubernetes version to controls

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

Now new Control function is expecting detected version argument.

* Refactore NewControls function

New Control function is expecting detected version argument.

* Add detected kube version

* add detecetedKubeVersion

* Add detecetedKubeVersion

* Add detectedKubeVersion

* Add detecetedKubeVersion

* Fix missing version

* Change version

Change version from 3.10 to rh-0.7

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.5"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"

* Fix version: "cis-1.6"
2021-05-09 14:48:34 +03:00

310 lines
11 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
controls:
version: "rh-0.7"
id: 2
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 7
text: "Kubelet"
checks:
- id: 7.1
text: "Use Security Context Constraints to manage privileged containers as needed"
type: "skip"
scored: true
- id: 7.2
text: "Ensure anonymous-auth is not disabled"
type: "skip"
scored: true
- id: 7.3
text: "Verify that the --authorization-mode argument is set to WebHook"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.authorization-mode}"
set: false
- path: "{.kubeletArguments.authorization-mode}"
compare:
op: has
value: "Webhook"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
scored: true
- id: 7.4
text: "Verify the OpenShift default for the client-ca-file argument"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
test_items:
- path: "{.PodManifestConfig.client-ca-file}"
set: false
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
Reset to the OpenShift default.
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
scored: true
- id: 7.5
text: "Verify the OpenShift default setting for the read-only-port argument"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.read-only-port}"
set: false
- path: "{.kubeletArguments.read-only-port}"
compare:
op: eq
value: "0"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
scored: true
- id: 7.6
text: "Adjust the streaming-connection-idle-timeout argument"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.streaming-connection-idle-timeout}"
set: false
- path: "{.kubeletArguments.streaming-connection-idle-timeout}"
compare:
op: eq
value: "5m"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
value like the following in node-config.yaml.
kubeletArguments:
 streaming-connection-idle-timeout:
   - "5m"
scored: true
- id: 7.7
text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
type: "skip"
scored: true
- id: 7.8
text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.make-iptables-util-chains}"
set: false
- path: "{.kubeletArguments.make-iptables-util-chains}"
compare:
op: eq
value: "true"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
default value of true.
scored: true
- id: 7.9
text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.keep-terminated-pod-volumes}"
set: false
- path: "{.kubeletArguments.keep-terminated-pod-volumes}"
compare:
op: eq
value: "false"
remediation: |
Reset to the OpenShift defaults
scored: true
- id: 7.10
text: "Verify the OpenShift defaults for the hostname-override argument"
type: "skip"
scored: true
- id: 7.11
text: "Set the --event-qps argument to 0"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.event-qps}"
set: false
- path: "{.kubeletArguments.event-qps}"
compare:
op: eq
value: "0"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
the kubeletArguments section of.
scored: true
- id: 7.12
text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
test_items:
- path: "{.kubeletArguments.cert-dir}"
compare:
op: has
value: "/etc/origin/node/certificates"
remediation: |
Reset to the OpenShift default values.
scored: true
- id: 7.13
text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
bin_op: or
test_items:
- path: "{.kubeletArguments.cadvisor-port}"
set: false
- path: "{.kubeletArguments.cadvisor-port}"
compare:
op: eq
value: "0"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
if it is set in the kubeletArguments section.
scored: true
- id: 7.14
text: "Verify that the RotateKubeletClientCertificate argument is set to true"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
test_items:
- path: "{.kubeletArguments.feature-gates}"
compare:
op: has
value: "RotateKubeletClientCertificate=true"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
scored: true
- id: 7.15
text: "Verify that the RotateKubeletServerCertificate argument is set to true"
audit_config: "cat /etc/origin/node/node-config.yaml"
tests:
test_items:
- path: "{.kubeletArguments.feature-gates}"
compare:
op: has
value: "RotateKubeletServerCertificate=true"
remediation: |
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
scored: true
- id: 8
text: "Configuration Files"
checks:
- id: 8.1
text: "Verify the OpenShift default permissions for the kubelet.conf file"
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
scored: true
- id: 8.2
text: "Verify the kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig
scored: true
- id: 8.3
text: "Verify the kubelet service file permissions of 644"
audit: "stat -c permissions=%a $kubeletsvc"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command on each worker node.
chmod 644 $kubeletsvc
scored: true
- id: 8.4
text: "Verify the kubelet service file ownership of root:root"
audit: "stat -c %U:%G $kubeletsvc"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command on each worker node.
chown root:root $kubeletsvc
scored: true
- id: 8.5
text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/node.kubeconfig
scored: true
- id: 8.6
text: "Verify the proxy kubeconfig file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/node.kubeconfig
scored: true
- id: 8.7
text: "Verify the OpenShift default permissions for the certificate authorities file."
audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command on each worker node.
chmod 644 /etc/origin/node/client-ca.crt
scored: true
- id: 8.8
text: "Verify the client certificate authorities file ownership of root:root"
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command on each worker node.
chown root:root /etc/origin/node/client-ca.crt
scored: true