mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 18:08:15 +00:00
7a55d5d57c
Fix: To address this, we've modified the command to achieve the following: Verify the existence of the file. If the file is found, show the user and group ownership in the "username:groupname" format. If the file is not found, display the message "File not found." To accommodate this change, we've integrated the expected output "File not found" for instances where the file is absent. This adjustment ensures the successful execution of the test. Co-authored-by: mjshastha <manojshastha.madriki@aquasec.com>
456 lines
19 KiB
YAML
456 lines
19 KiB
YAML
---
|
|
controls:
|
|
version: "cis-1.7"
|
|
id: 4
|
|
text: "Worker Node Security Configuration"
|
|
type: "node"
|
|
groups:
|
|
- id: 4.1
|
|
text: "Worker Node Configuration Files"
|
|
checks:
|
|
- id: 4.1.1
|
|
text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: "permissions"
|
|
compare:
|
|
op: bitmask
|
|
value: "600"
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example, chmod 600 $kubeletsvc
|
|
scored: true
|
|
|
|
- id: 4.1.2
|
|
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
|
|
audit: '/bin/sh -c "if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; else echo \"File not found\"; fi"'
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: root:root
|
|
- flag: "File not found"
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example,
|
|
chown root:root $kubeletsvc
|
|
scored: true
|
|
|
|
- id: 4.1.3
|
|
text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)"
|
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "permissions"
|
|
set: true
|
|
compare:
|
|
op: bitmask
|
|
value: "600"
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example,
|
|
chmod 600 $proxykubeconfig
|
|
scored: false
|
|
|
|
- id: 4.1.4
|
|
text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)"
|
|
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: root:root
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example, chown root:root $proxykubeconfig
|
|
scored: false
|
|
|
|
- id: 4.1.5
|
|
text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: "permissions"
|
|
compare:
|
|
op: bitmask
|
|
value: "600"
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example,
|
|
chmod 600 $kubeletkubeconfig
|
|
scored: true
|
|
|
|
- id: 4.1.6
|
|
text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: root:root
|
|
remediation: |
|
|
Run the below command (based on the file location on your system) on the each worker node.
|
|
For example,
|
|
chown root:root $kubeletkubeconfig
|
|
scored: true
|
|
|
|
- id: 4.1.7
|
|
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)"
|
|
audit: |
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
|
|
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
|
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
|
|
tests:
|
|
test_items:
|
|
- flag: "permissions"
|
|
compare:
|
|
op: bitmask
|
|
value: "600"
|
|
remediation: |
|
|
Run the following command to modify the file permissions of the
|
|
--client-ca-file chmod 600 <filename>
|
|
scored: false
|
|
|
|
- id: 4.1.8
|
|
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
|
|
audit: |
|
|
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}' | uniq)
|
|
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
|
|
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
|
|
tests:
|
|
test_items:
|
|
- flag: root:root
|
|
compare:
|
|
op: eq
|
|
value: root:root
|
|
remediation: |
|
|
Run the following command to modify the ownership of the --client-ca-file.
|
|
chown root:root <filename>
|
|
scored: false
|
|
|
|
- id: 4.1.9
|
|
text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: "permissions"
|
|
compare:
|
|
op: bitmask
|
|
value: "600"
|
|
remediation: |
|
|
Run the following command (using the config file location identified in the Audit step)
|
|
chmod 600 $kubeletconf
|
|
scored: false
|
|
|
|
- id: 4.1.10
|
|
text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
|
|
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
|
|
tests:
|
|
test_items:
|
|
- flag: root:root
|
|
remediation: |
|
|
Run the following command (using the config file location identified in the Audit step)
|
|
chown root:root $kubeletconf
|
|
scored: false
|
|
|
|
- id: 4.2
|
|
text: "Kubelet"
|
|
checks:
|
|
- id: 4.2.1
|
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: "--anonymous-auth"
|
|
path: '{.authentication.anonymous.enabled}'
|
|
compare:
|
|
op: eq
|
|
value: false
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to
|
|
`false`.
|
|
If using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
`--anonymous-auth=false`
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
|
|
- id: 4.2.2
|
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --authorization-mode
|
|
path: '{.authorization.mode}'
|
|
compare:
|
|
op: nothave
|
|
value: AlwaysAllow
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If
|
|
using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
--authorization-mode=Webhook
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
|
|
- id: 4.2.3
|
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --client-ca-file
|
|
path: '{.authentication.x509.clientCAFile}'
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to
|
|
the location of the client CA file.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_AUTHZ_ARGS variable.
|
|
--client-ca-file=<path/to/client-ca-file>
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
|
|
- id: 4.2.4
|
|
text: "Verify that the --read-only-port argument is set to 0 (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--read-only-port"
|
|
path: '{.readOnlyPort}'
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
- flag: "--read-only-port"
|
|
path: '{.readOnlyPort}'
|
|
set: false
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `readOnlyPort` to 0.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--read-only-port=0
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.5
|
|
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --streaming-connection-idle-timeout
|
|
path: '{.streamingConnectionIdleTimeout}'
|
|
compare:
|
|
op: noteq
|
|
value: 0
|
|
- flag: --streaming-connection-idle-timeout
|
|
path: '{.streamingConnectionIdleTimeout}'
|
|
set: false
|
|
bin_op: or
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a
|
|
value other than 0.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
--streaming-connection-idle-timeout=5m
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.6
|
|
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --make-iptables-util-chains
|
|
path: '{.makeIPTablesUtilChains}'
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
- flag: --make-iptables-util-chains
|
|
path: '{.makeIPTablesUtilChains}'
|
|
set: false
|
|
bin_op: or
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
remove the --make-iptables-util-chains argument from the
|
|
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
|
|
- id: 4.2.7
|
|
text: "Ensure that the --hostname-override argument is not set (Manual)"
|
|
# This is one of those properties that can only be set as a command line argument.
|
|
# To check if the property is set as expected, we need to parse the kubelet command
|
|
# instead reading the Kubelet Configuration file.
|
|
audit: "/bin/ps -fC $kubeletbin "
|
|
tests:
|
|
test_items:
|
|
- flag: --hostname-override
|
|
set: false
|
|
remediation: |
|
|
Edit the kubelet service file $kubeletsvc
|
|
on each worker node and remove the --hostname-override argument from the
|
|
KUBELET_SYSTEM_PODS_ARGS variable.
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.8
|
|
text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --event-qps
|
|
path: '{.eventRecordQPS}'
|
|
compare:
|
|
op: gte
|
|
value: 0
|
|
- flag: --event-qps
|
|
path: '{.eventRecordQPS}'
|
|
set: false
|
|
bin_op: or
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.9
|
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --tls-cert-file
|
|
path: '{.tlsCertFile}'
|
|
- flag: --tls-private-key-file
|
|
path: '{.tlsPrivateKeyFile}'
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `tlsCertFile` to the location
|
|
of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`
|
|
to the location of the corresponding private key file.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
|
|
--tls-cert-file=<path/to/tls-certificate-file>
|
|
--tls-private-key-file=<path/to/tls-key-file>
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.10
|
|
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --rotate-certificates
|
|
path: '{.rotateCertificates}'
|
|
compare:
|
|
op: eq
|
|
value: true
|
|
- flag: --rotate-certificates
|
|
path: '{.rotateCertificates}'
|
|
set: false
|
|
bin_op: or
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or
|
|
remove it altogether to use the default value.
|
|
If using command line arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
|
|
variable.
|
|
Based on your system, restart the kubelet service. For example,
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: true
|
|
|
|
- id: 4.2.11
|
|
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: RotateKubeletServerCertificate
|
|
path: '{.featureGates.RotateKubeletServerCertificate}'
|
|
compare:
|
|
op: nothave
|
|
value: false
|
|
- flag: RotateKubeletServerCertificate
|
|
path: '{.featureGates.RotateKubeletServerCertificate}'
|
|
set: false
|
|
remediation: |
|
|
Edit the kubelet service file $kubeletsvc
|
|
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
|
|
--feature-gates=RotateKubeletServerCertificate=true
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.12
|
|
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --tls-cipher-suites
|
|
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
|
|
compare:
|
|
op: valid_elements
|
|
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
remediation: |
|
|
If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
or to a subset of these values.
|
|
If using executable arguments, edit the kubelet service file
|
|
$kubeletsvc on each worker node and
|
|
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
|
|
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
Based on your system, restart the kubelet service. For example:
|
|
systemctl daemon-reload
|
|
systemctl restart kubelet.service
|
|
scored: false
|
|
|
|
- id: 4.2.13
|
|
text: "Ensure that a limit is set on pod PIDs (Manual)"
|
|
audit: "/bin/ps -fC $kubeletbin"
|
|
audit_config: "/bin/cat $kubeletconf"
|
|
tests:
|
|
test_items:
|
|
- flag: --pod-max-pids
|
|
path: '{.podPidsLimit}'
|
|
remediation: |
|
|
Decide on an appropriate level for this parameter and set it,
|
|
either via the --pod-max-pids command line parameter or the PodPidsLimit configuration file setting.
|
|
scored: false
|