Merge pull request #267 from aquasecurity/lizrice-patch-1

Add OCP info into the README

README.md

@@ -13,7 +13,19 @@ Tests are configured with YAML files, making this tool easy to update as test sp
 
 ## CIS Kubernetes Benchmark support
 
-kube-bench supports the tests for multiple versions of Kubernetes (1.6, 1.7, 1.8, and 1.11) as defined in the CIS Benchmarks 1.0.0, 1.1.0, 1.2.0, and 1.3.0 respectively. It will determine the test set to run based on the Kubernetes version running on the machine.
+kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively. 
+
+| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
+|---|---|---|
+| 1.0.0| 1.6 | 1.6 |
+| 1.1.0| 1.7 | 1.7 |
+| 1.2.0| 1.8 | 1.8-1.10 |
+| 1.3.0| 1.11 | 1.11-1.12 |
+| 1.4.0| 1.13 | 1.13- |
+
+By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
+
+There is also preliminary support for Red Hat's Openshift Hardening Guide for 3.10 and 3.11. Please note that kube-bench does not automatically detect Openshift - see below. 
 
 ## Installation
 
@@ -37,14 +49,14 @@ You can even use your own configs by mounting them over the default ones in `/op
 docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml aquasec/kube-bench:latest [master|node]
 ```
 
-> Note: the tests require either the kubelet or kubectl binary in the path in order to know the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
+> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/bin/kubectl` to the above invocations to resolve this.
 
 ### Running in a kubernetes cluster
 
 You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
 
 Master nodes are automatically detected by kube-bench and will run master checks when possible.
-The detection is done by verifying that mandatory components for master are running. (see [config file](#configuration).
+The detection is done by verifying that mandatory components for master, as defined in the config files, are running (see [Configuration](#configuration)).
 
 The supplied `job.yaml` file can be applied to run the tests as a job. For example:
 
@@ -102,6 +114,9 @@ go build -o kube-bench .
 ./kube-bench
 
 ```
+## Running on OpenShift 
+
+kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify `--version ocp-3.10` when you run the `kube-bench` command (either directly or through YAML). This config version is valid for OCP 3.10 and 3.11. 
 
 ## Configuration
 
@@ -114,6 +129,13 @@ For each type of node (*master*, *node* or *federated*) there is a list of compo
 * **confs** - If one of the listed config files is found, this will be considered for the test. Tests can continue even if no config file is found. If no file is found at any of the listed locations, and a *defaultconf* location is given for the component, the test will give remediation advice using the *defaultconf* location.
 * **unitfiles** - From version 1.2.0 of the benchmark  (tests for Kubernetes 1.8), the remediation instructions were updated to assume that kubelet configuration is defined in a service file, and this setting defines where to look for that configuration.
 
+## Output
+
+There are three output states
+- [PASS] and [FAIL] indicate that a test was run successfully, and it either passed or failed
+- [WARN] means this test needs further attention, for example it is a test that needs to be run manually 
+- [INFO] is informational output that needs no further action.
+
 ## Test config YAML representation
 The tests are represented as YAML documents (installed by default into ./cfg).
 
@@ -146,6 +168,20 @@ Recommendations (called `checks` in this document) can run on Kubernetes Master,
 Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
 These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.
 
+### Omitting checks
+
+If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type `skip` as in this example: 
+
+```yaml
+  checks:
+  - id: 2.1.1
+    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+    type: "skip"
+    scored: true
+```
+
+No tests will be run for this check and the output will be marked [INFO].
+
 ## Tests
 Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.
 
@@ -188,4 +224,4 @@ Next you'll have to build the kube-bench docker image using `make build-docker`,
 
 Finally we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit)
 
-Everytime you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
+Everytime you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )

cfg/1.13/master.yaml

@@ -366,7 +366,10 @@ groups:
     text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
     audit: "ps -ef | grep $apiserverbin | grep -v grep"
     tests:
+      bin_op: or
       test_items:
+      - flag: "--service-account-lookup"
+        set: false
       - flag: "--service-account-lookup"
         compare:
           op: eq
@@ -1213,7 +1216,7 @@ groups:
     scored: true
     
   - id: 1.4.21
-    text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
+    text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Scored)"
     audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key"
     type: "manual"
     tests:

cfg/ocp-3.10/node.yaml

@@ -1,376 +1,376 @@
----
-controls:
-id: 2
-text: "Worker Node Security Configuration"
-type: "node"
-groups:
-- id: 2.1
-  text: "Kubelet"
-  checks:
-  - id: 2.1.1
-    text: "Ensure that the --allow-privileged argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 2.1.2
-    text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 2.1.3
-    text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
-    audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "authorization-mode"
-        set: false
-      - flag: "authorization-mode: Webhook"
-        compare:
-          op: has
-          value: "Webhook"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
-      kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
-    scored: true
-
-  - id: 2.1.4
-    text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
-    audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
-    tests:
-      test_items:
-      - flag: "client-ca-file"
-        set: false
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
-      grep -A1 client-ca-file /etc/origin/node/node-config.yaml
-
-      Reset to the OpenShift default. 
-      See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
-      The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
-    scored: true
-
-  - id: 2.1.5
-    text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
-    audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "read-only-port"
-        set: false
-      - flag: "read-only-port: 0"
-        compare:
-          op: has
-          value: "0"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
-    scored: true
-
-  - id: 2.1.6
-    text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
-    audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "streaming-connection-idle-timeout"
-        set: false
-      - flag: "0"
-        set: false
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
-      value like the following in node-config.yaml.
-      
-      kubeletArguments:
-        streaming-connection-idle-timeout:
-           - "5m"
-    scored: true
-
-  - id: 2.1.7
-    text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 2.1.8
-    text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
-    audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "make-iptables-util-chains"
-        set: false
-      - flag: "make-iptables-util-chains: true"
-        compare:
-          op: has
-          value: "true"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
-      default value of true. 
-    scored: true
-
-    id: 2.1.9
-    text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
-    audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
-    tests:
-      test_items:
-      - flag: "keep-terminated-pod-volumes: false"
-        compare:
-          op: has
-          value: "false"
-        set: true
-    remediation: |
-      Reset to the OpenShift defaults
-    scored: true
-
-  - id: 2.1.10
-    text: "Ensure that the --hostname-override argument is not set (Scored)"
-    type: "skip"
-    scored: true
-
-  - id: 2.1.11
-    text: "Ensure that the --event-qps argument is set to 0 (Scored)"
-    audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "event-qps"
-        set: false
-      - flag: "event-qps: 0"
-        compare:
-          op: has
-          value: "0"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
-      the kubeletArguments section of.
-    scored: true
-
-  - id: 2.1.12
-    text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
-    audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
-    tests:
-      test_items:
-      - flag: "/etc/origin/node/certificates"
-        compare:
-          op: has
-          value: "/etc/origin/node/certificates"
-        set: true
-    remediation: |
-      Reset to the OpenShift default values.
-    scored: true
-
-  - id: 2.1.13
-    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
-    audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
-    tests:
-      bin_op: or
-      test_items:
-      - flag: "cadvisor-port"
-        set: false
-      - flag: "cadvisor-port: 0"
-        compare:
-          op: has
-          value: "0"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag 
-      if it is set in the  kubeletArguments section.
-    scored: true
-
-  - id: 2.1.14
-    text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
-    audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
-    tests:
-      test_items:
-      - flag: "RotateKubeletClientCertificate=true"
-        compare:
-          op: has
-          value: "true"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
-    scored: true
-
-  - id: 2.1.15
-    text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
-    audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
-    test:
-      test_items:
-      - flag: "RotateKubeletServerCertificate=true"
-        compare:
-          op: has
-          value: "true"
-        set: true
-    remediation: |
-      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
-    scored: true
-
-
-- id: 2.2
-  text: "Configuration Files"
-  checks:
-  - id: 2.2.1
-    text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
-    audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
-    tests:
-      bin_op: or
-      test_items:
-        - flag: "644"
-          compare:
-            op: eq
-            value: "644"
-          set: true
-        - flag: "640"
-          compare:
-            op: eq
-            value: "640"
-          set: true
-        - flag: "600"
-          compare:
-            op: eq
-            value: "600"
-          set: true
-    remediation: |
-      Run the below command on each worker node.
-      chmod 644 /etc/origin/node/node.kubeconfig
-    scored: true
-
-  - id: 2.2.2
-    text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
-    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
-    tests:
-      test_items:
-        - flag: "root:root"
-          compare:
-            op: eq
-            value: root:root
-          set: true
-      remediation: |
-        Run the below command on each worker node.
-        chown root:root /etc/origin/node/node.kubeconfig
-      scored: true
-
-  - id: 2.2.3
-    text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
-    audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
-    tests:
-      bin_op: or
-      test_items:
-        - flag: "644"
-          compare:
-            op: eq
-            value: "644"
-          set: true
-        - flag: "640"
-          compare:
-            op: eq
-            value: "640"
-          set: true
-        - flag: "600"
-          compare:
-            op: eq
-            value: "600"
-          set: true
-    remediation: |
-      Run the below command on each worker node.
-      chmod 644 /etc/systemd/system/atomic-openshift-node.service
-    scored: true
-
-  - id: 2.2.4
-    text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
-    audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
-    tests:
-      test_items:
-        - flag: "root:root"
-          compare:
-            op: eq
-            value: root:root
-          set: true
-      remediation: |
-        Run the below command on each worker node.
-        chown root:root /etc/systemd/system/atomic-openshift-node.service
-      scored: true
-
-  - id: 2.2.5
-    text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
-    audit: "stat -c %a /etc/origin/node/node.kubeconfig"
-    tests:
-      bin_op: or
-      test_items:
-        - flag: "644"
-          compare:
-            op: eq
-            value: "644"
-          set: true
-        - flag: "640"
-          compare:
-            op: eq
-            value: "640"
-          set: true
-        - flag: "600"
-          compare:
-            op: eq
-            value: "600"
-          set: true
-    remediation: |
-      Run the below command on each worker node.
-      chmod 644 /etc/origin/node/node.kubeconfig
-    scored: true
-
-  - id: 2.2.6
-    text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
-    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
-    tests:
-      test_items:
-        - flag: "root:root"
-          compare:
-            op: eq
-            value: root:root
-          set: true
-      remediation: |
-        Run the below command on each worker node.
-        chown root:root /etc/origin/node/node.kubeconfig
-      scored: true
-
-  - id: 2.2.7
-    text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
-    audit: "stat -c %a /etc/origin/node/client-ca.crt"
-    tests:
-      bin_op: or
-      test_items:
-        - flag: "644"
-          compare:
-            op: eq
-            value: "644"
-          set: true
-        - flag: "640"
-          compare:
-            op: eq
-            value: "640"
-          set: true
-        - flag: "600"
-          compare:
-            op: eq
-            value: "600"
-          set: true
-    remediation: |
-      Run the below command on each worker node.
-      chmod 644 /etc/origin/node/client-ca.crt
-    scored: true
-
-  - id: 2.2.8
-    text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
-    audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
-    tests:
-      test_items:
-        - flag: "root:root"
-          compare:
-            op: eq
-            value: root:root
-          set: true
-      remediation: |
-        Run the below command on each worker node.
-        chown root:root /etc/origin/node/client-ca.crt
-      scored: true
+---
+controls:
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 7
+  text: "Kubelet"
+  checks:
+  - id: 7.1
+    text: "Use Security Context Constraints to manage privileged containers as needed"
+    type: "skip"
+    scored: true
+
+  - id: 7.2
+    text: "Ensure anonymous-auth is not disabled"
+    type: "skip"
+    scored: true
+
+  - id: 7.3
+    text: "Verify that the --authorization-mode argument is set to WebHook"
+    audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "authorization-mode"
+        set: false
+      - flag: "authorization-mode: Webhook"
+        compare:
+          op: has
+          value: "Webhook"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
+      kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
+    scored: true
+
+  - id: 7.4
+    text: "Verify the OpenShift default for the client-ca-file argument"
+    audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "client-ca-file"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
+      grep -A1 client-ca-file /etc/origin/node/node-config.yaml
+
+      Reset to the OpenShift default. 
+      See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
+      The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
+    scored: true
+
+  - id: 7.5
+    text: "Verify the OpenShift default setting for the read-only-port argument"
+    audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "read-only-port"
+        set: false
+      - flag: "read-only-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
+    scored: true
+
+  - id: 7.6
+    text: "Adjust the streaming-connection-idle-timeout argument"
+    audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "streaming-connection-idle-timeout"
+        set: false
+      - flag: "5m"
+        set: false
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
+      value like the following in node-config.yaml.
+      
+      kubeletArguments:
+        streaming-connection-idle-timeout:
+           - "5m"
+    scored: true
+
+  - id: 7.7
+    text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
+    type: "skip"
+    scored: true
+
+  - id: 7.8
+    text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
+    audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "make-iptables-util-chains"
+        set: false
+      - flag: "make-iptables-util-chains: true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
+      default value of true. 
+    scored: true
+
+  - id: 7.9
+    text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
+    audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "keep-terminated-pod-volumes: false"
+        compare:
+          op: has
+          value: "false"
+        set: true
+    remediation: |
+      Reset to the OpenShift defaults
+    scored: true
+
+  - id: 7.10
+    text: "Verify the OpenShift defaults for the hostname-override argument"
+    type: "skip"
+    scored: true
+
+  - id: 7.11
+    text: "Set the --event-qps argument to 0"
+    audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "event-qps"
+        set: false
+      - flag: "event-qps: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
+      the kubeletArguments section of.
+    scored: true
+
+  - id: 7.12
+    text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
+    audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "/etc/origin/node/certificates"
+        compare:
+          op: has
+          value: "/etc/origin/node/certificates"
+        set: true
+    remediation: |
+      Reset to the OpenShift default values.
+    scored: true
+
+  - id: 7.13
+    text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
+    audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
+    tests:
+      bin_op: or
+      test_items:
+      - flag: "cadvisor-port"
+        set: false
+      - flag: "cadvisor-port: 0"
+        compare:
+          op: has
+          value: "0"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag 
+      if it is set in the  kubeletArguments section.
+    scored: true
+
+  - id: 7.14
+    text: "Verify that the RotateKubeletClientCertificate argument is set to true"
+    audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
+    tests:
+      test_items:
+      - flag: "RotateKubeletClientCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
+    scored: true
+
+  - id: 7.15
+    text: "Verify that the RotateKubeletServerCertificate argument is set to true"
+    audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
+    test:
+      test_items:
+      - flag: "RotateKubeletServerCertificate=true"
+        compare:
+          op: has
+          value: "true"
+        set: true
+    remediation: |
+      Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
+    scored: true
+
+
+- id: 8
+  text: "Configuration Files"
+  checks:
+  - id: 8.1
+    text: "Verify the OpenShift default permissions for the kubelet.conf file"
+    audit: "stat -c %a  /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 8.2
+    text: "Verify the kubeconfig file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 8.3
+    text: "Verify the kubelet service file permissions of 644"
+    audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/systemd/system/atomic-openshift-node.service
+    scored: true
+
+  - id: 8.4
+    text: "Verify the kubelet service file ownership of root:root"
+    audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/systemd/system/atomic-openshift-node.service
+      scored: true
+
+  - id: 8.5
+    text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
+    audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/node.kubeconfig
+    scored: true
+
+  - id: 8.6
+    text: "Verify the proxy kubeconfig file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/node.kubeconfig
+      scored: true
+
+  - id: 8.7
+    text: "Verify the OpenShift default permissions for the certificate authorities file."
+    audit: "stat -c %a /etc/origin/node/client-ca.crt"
+    tests:
+      bin_op: or
+      test_items:
+        - flag: "644"
+          compare:
+            op: eq
+            value: "644"
+          set: true
+        - flag: "640"
+          compare:
+            op: eq
+            value: "640"
+          set: true
+        - flag: "600"
+          compare:
+            op: eq
+            value: "600"
+          set: true
+    remediation: |
+      Run the below command on each worker node.
+      chmod 644 /etc/origin/node/client-ca.crt
+    scored: true
+
+  - id: 8.8
+    text: "Verify the client certificate authorities file ownership of root:root"
+    audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
+    tests:
+      test_items:
+        - flag: "root:root"
+          compare:
+            op: eq
+            value: root:root
+          set: true
+      remediation: |
+        Run the below command on each worker node.
+        chown root:root /etc/origin/node/client-ca.crt
+      scored: true

check/check.go

@@ -166,6 +166,8 @@ func (c *Check) Run() {
 		i++
 	}
 
+	glog.V(3).Info(out.String())
+
 	finalOutput := c.Tests.execute(out.String())
 	if finalOutput != nil {
 		c.ActualValue = finalOutput.actualResult

check/data

@@ -158,3 +158,12 @@ groups:
             set: true
 
 
+    - id: 14
+      text: "check that flag some-arg is set to some-val with ':' separator"
+      tests:
+        test_items:
+          - flag: "some-arg"
+            compare:
+              op: eq
+              value: some-val
+            set: true

check/test.go

@@ -68,7 +68,7 @@ func (t *testItem) execute(s string) *testOutput {
 			// --flag
 			// somevalue
 			//pttn := `(` + t.Flag + `)(=)*([^\s,]*) *`
-			pttn := `(` + t.Flag + `)(=)*([^\s]*) *`
+			pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
 			flagRe := regexp.MustCompile(pttn)
 			vals := flagRe.FindStringSubmatch(s)
 

check/test_test.go

@@ -110,6 +110,16 @@ func TestTestExecute(t *testing.T) {
 			controls.Groups[0].Checks[13],
 			"2:45 ../kubernetes/kube-apiserver --option --admission-control=Something ---audit-log-maxage=40",
 		},
+		{
+			// check for ':' as argument-value separator, with space between arg and val
+			controls.Groups[0].Checks[14],
+			"2:45 kube-apiserver some-arg: some-val --admission-control=Something ---audit-log-maxage=40",
+		},
+		{
+			// check for ':' as argument-value separator, with no space between arg and val
+			controls.Groups[0].Checks[14],
+			"2:45 kube-apiserver some-arg:some-val --admission-control=Something ---audit-log-maxage=40",
+		},
 	}
 
 	for _, c := range cases {