github/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2026-02-25 23:34:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:v0.6.14
Branches Tags
github:main github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2-1.41.2 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/securityhub-1.67.5 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.32.10 github:dependabot/github_actions/goreleaser/goreleaser-action-7 github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.15.0 github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1
..
compare: github:v0.6.8
Branches Tags
github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2-1.41.2 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/service/securityhub-1.67.5 github:dependabot/go_modules/github.com/aws/aws-sdk-go-v2/config-1.32.10 github:dependabot/github_actions/goreleaser/goreleaser-action-7 github:main github:lihiz_preflight github:dependabot/github_actions/golangci/golangci-lint-action-7 github:gh-pages github:aquadev
github:v0.15.0 github:v0.14.1 github:v0.14.0 github:v0.13.0 github:v0.12.0 github:v0.11.2 github:v0.11.1 github:v0.11.0 github:v0.10.7 github:v0.10.6 github:v0.10.5 github:v0.10.4 github:v0.10.3 github:v0.10.2 github:v0.10.1 github:v0.10.0 github:v0.9.4 github:v0.9.3 github:v0.9.2 github:v0.9.1 github:v0.9.0 github:v0.8.0 github:v0.7.3 github:v0.7.2 github:v0.7.1 github:v0.7.0 github:v0.6.19 github:v0.6.18 github:v0.6.18-rc github:v0.6.17 github:v0.6.16 github:v0.6.16-rc github:v0.6.15 github:v0.6.14 github:v0.6.14-rc github:v0.6.13 github:v0.6.13-rc2 github:v0.6.13-rc github:v0.6.12 github:v0.6.12-rc github:v0.6.11 github:v0.6.10 github:v0.6.9 github:v0.6.8 github:v0.6.7 github:v0.6.7-rc1 github:v0.6.6 github:v0.6.5 github:v0.6.4 github:v0.6.3 github:v0.6.2 github:0.6.1 github:v0.6.0 github:v0.5.0 github:v0.4.0 github:v0.3.1 github:v0.3.0 github:v0.2.3 github:v0.0.1-alpha.0 github:v0.2.2 github:v0.2.1 github:v0.2.0 github:v0.1.0 github:v0.0.34 github:v0.0.33 github:v0.0.32 github:v0.0.31 github:v0.0.30 github:v0.0.29 github:v0.0.27 github:V0.0.27 github:v0.0.28 github:0.0.27 github:v0.0.26 github:v0.0.25 github:v0.0.24 github:v0.0.23 github:v0.0.22 github:v0.0.21 github:v0.0.20 github:v0.0.18 github:v0.0.19 github:v0.0.17 github:v0.0.16 github:v0.0.15 github:v0.0.14 github:0.0.14 github:v0.0.13 github:v0.0.12 github:v0.0.11 github:v0.0.10 github:v0.0.9 github:v0.0.8 github:v0.0.7 github:v0.0.6 github:v0.0.5 github:v0.0.4 github:v0.0.3 github:v0.0.2 github:v0.0.1

1 Commits
v0.6.14 ... v0.6.8

Author SHA1 Message Date
chenk
d77d9a368a release: prepare v0.6.8 
Signed-off-by: chenk <hen.keinan@gmail.com>
 2022-04-24 13:14:38 +03:00
78 changed files with 819 additions and 5949 deletions
Expand all files Collapse all files

20
.github/workflows/build.yml vendored
View File

@@ -14,19 +14,19 @@ on:
- "LICENSE"
- "NOTICE"
env:
GO_VERSION: "1.19"
GO_VERSION: "1.16"
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version: 1.16
- name: Checkout code
uses: actions/checkout@v3
- name: yaml-lint
@@ -38,12 +38,12 @@ jobs:
args: --verbose
unit:
name: Unit tests
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version: 1.16
- name: Checkout code
uses: actions/checkout@v3
- name: Run unit tests
@@ -54,12 +54,12 @@ jobs:
file: ./coverage.txt
e2e:
name: E2e tests
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version: 1.16
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Kubernetes cluster (KIND)
@@ -83,19 +83,19 @@ jobs:
expected_result: PASSED
release:
name: Release snapshot
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
needs: [e2e, unit]
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version: 1.16
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Dry-run release snapshot
uses: goreleaser/goreleaser-action@v4
uses: goreleaser/goreleaser-action@v2
with:
distribution: goreleaser
version: v1.7.0

4
.github/workflows/mkdocs-deploy.yaml vendored
View File

@@ -13,14 +13,14 @@ on:
jobs:
deploy:
name: Deploy documentation
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Checkout main
uses: actions/checkout@v3
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-python@v4
- uses: actions/setup-python@v3
with:
python-version: 3.x
- run: |

31
.github/workflows/publish.yml vendored
View File

@@ -12,15 +12,15 @@ env:
jobs:
publish:
name: Publish
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Check Out Repo
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v1
- name: Cache Docker layers
uses: actions/cache@v3
with:
@@ -29,19 +29,19 @@ jobs:
restore-keys: |
${{ runner.os }}-buildxarch-
- name: Login to Docker Hub
uses: docker/login-action@v2
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to ECR
uses: docker/login-action@v2
uses: docker/login-action@v1
with:
registry: public.ecr.aws
username: ${{ secrets.ECR_ACCESS_KEY_ID }}
password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
- name: Get version
id: get_version
uses: crazy-max/ghaction-docker-meta@v4
uses: crazy-max/ghaction-docker-meta@v3
with:
images: ${{ env.REP }}
tag-semver: |
@@ -49,7 +49,7 @@ jobs:
- name: Build and push - Docker/ECR
id: docker_build
uses: docker/build-push-action@v4
uses: docker/build-push-action@v2
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
@@ -64,22 +64,5 @@ jobs:
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:latest
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Build and push ubi image - Docker/ECR
id: docker_build_ubi
uses: docker/build-push-action@v4
with:
context: .
platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
builder: ${{ steps.buildx.outputs.name }}
push: true
file: Dockerfile.ubi
build-args: |
KUBEBENCH_VERSION=${{ steps.get_version.outputs.version }}
tags: |
${{ env.DOCKERHUB_ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}-ubi
cache-from: type=local,src=/tmp/.buildx-cache/release
cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
- name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}

8
.github/workflows/release.yml vendored
View File

@@ -5,19 +5,19 @@ on:
tags:
- "v*"
env:
GO_VERSION: "1.19"
GO_VERSION: "1.16"
KIND_VERSION: "v0.11.1"
KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
jobs:
release:
name: Release
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
go-version: 1.16
- name: Checkout code
uses: actions/checkout@v3
with:
@@ -44,7 +44,7 @@ jobs:
second_file_path: integration/testdata/Expected_output.data
expected_result: PASSED
- name: Release
uses: goreleaser/goreleaser-action@v4
uses: goreleaser/goreleaser-action@v2
with:
distribution: goreleaser
version: v1.7.0

1
.goreleaser.yml
View File

@@ -8,7 +8,6 @@ builds:
binary: kube-bench
goos:
- linux
- darwin
goarch:
- amd64
- arm

1
CONTRIBUTING.md
View File

@@ -77,4 +77,3 @@ Finally, we can use the `make kind-run` target to run the current version of kub
Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` )
To run the STIG tests locally execute the following: `make build-docker kind-push kind-run-stig`

7
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM golang:1.19.4 AS build
FROM golang:1.18.1 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
@@ -9,7 +9,7 @@ COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench
FROM alpine:3.17 AS run
FROM alpine:3.15.4 AS run
WORKDIR /opt/kube-bench/
# add GNU ps for -C, -o cmd, and --no-headers support
# https://github.com/aquasecurity/kube-bench/issues/109
@@ -26,7 +26,8 @@ RUN apk update && apk upgrade && apk --no-cache add openssl
# Add glibc for running oc command
RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
RUN apk add gcompat
RUN wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.33-r0/glibc-2.33-r0.apk
RUN apk add glibc-2.33-r0.apk
RUN apk add jq
ENV PATH=$PATH:/usr/local/mount-from-host/bin

49
Dockerfile.ubi
View File

@@ -1,49 +0,0 @@
FROM golang:1.19.4 AS build
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
COPY makefile makefile
COPY go.mod go.sum ./
COPY main.go .
COPY check/ check/
COPY cmd/ cmd/
COPY internal/ internal/
ARG KUBEBENCH_VERSION
RUN make build && cp kube-bench /go/bin/kube-bench
# ubi8-minimal base image for build with ubi standards
FROM registry.access.redhat.com/ubi8/ubi-minimal as run
RUN microdnf install -y yum findutils openssl \
&& yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \
&& yum update -y \
&& yum install -y glibc \
&& yum update -y glibc \
&& yum install -y procps \
&& yum update -y procps \
&& yum install jq -y \
&& yum clean all \
&& microdnf remove yum || rpm -e -v yum \
&& microdnf clean all
WORKDIR /opt/kube-bench/
ENV PATH=$PATH:/usr/local/mount-from-host/bin
COPY LICENSE /licenses/LICENSE
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
COPY entrypoint.sh .
COPY cfg/ cfg/
ENTRYPOINT ["./entrypoint.sh"]
CMD ["install"]
# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
LABEL org.label-schema.build-date=$BUILD_DATE \
org.label-schema.name="kube-bench" \
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.vcs-ref=$VCS_REF \
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
org.label-schema.schema-version="1.0"

16
cfg/cis-1.20/master.yaml
View File

@@ -153,13 +153,7 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "permissions"
@@ -176,13 +170,7 @@ groups:
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

4
cfg/cis-1.20/node.yaml
View File

@@ -388,7 +388,7 @@ groups:
scored: false
- id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@@ -412,7 +412,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
scored: false
- id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"

16
cfg/cis-1.23/master.yaml
View File

@@ -147,13 +147,7 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "permissions"
@@ -169,13 +163,7 @@ groups:
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

2
cfg/cis-1.24/config.yaml
View File

@@ -1,2 +0,0 @@
---
## Version-specific settings that override the values in cfg/config.yaml

46
cfg/cis-1.24/controlplane.yaml
View File

@@ -1,46 +0,0 @@
---
controls:
version: "cis-1.24"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: false
- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false

135
cfg/cis-1.24/etcd.yaml
View File

@@ -1,135 +0,0 @@
---
controls:
version: "cis-1.24"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--cert-file"
env: "ETCD_CERT_FILE"
- flag: "--key-file"
env: "ETCD_KEY_FILE"
remediation: |
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
scored: true
- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--client-cert-auth="true"
scored: true
- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false
scored: true
- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--peer-cert-file"
env: "ETCD_PEER_CERT_FILE"
- flag: "--peer-key-file"
env: "ETCD_PEER_KEY_FILE"
remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
scored: true
- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--peer-client-cert-auth"
env: "ETCD_PEER_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and set the below parameter.
--peer-client-cert-auth=true
scored: true
- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Edit the etcd pod specification file $etcdconf on the master
node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false
scored: true
- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
remediation: |
[Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
scored: false

949
cfg/cis-1.24/master.yaml
View File

@@ -1,949 +0,0 @@
---
controls:
version: "cis-1.24"
id: 1
text: "Control Plane Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Control Plane Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the
control plane node.
For example, chmod 644 $apiserverconf
scored: true
- id: 1.1.2
text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chown root:root $apiserverconf
scored: true
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 $controllermanagerconf
scored: true
- id: 1.1.4
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chown root:root $controllermanagerconf
scored: true
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 $schedulerconf
scored: true
- id: 1.1.6
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chown root:root $schedulerconf
scored: true
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 $etcdconf
scored: true
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'"
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root $etcdconf
scored: true
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 600 or more restrictive (Manual)"
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 <path/to/cni/files>
scored: false
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "700"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd
scored: true
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G "$DATA_DIR"
tests:
test_items:
- flag: "etcd:etcd"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the command 'ps -ef | grep etcd'.
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
scored: true
- id: 1.1.13
text: "Ensure that the admin.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chmod 600 /etc/kubernetes/admin.conf
scored: true
- id: 1.1.14
text: "Ensure that the admin.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example, chown root:root /etc/kubernetes/admin.conf
scored: true
- id: 1.1.15
text: "Ensure that the scheduler.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 $schedulerkubeconfig
scored: true
- id: 1.1.16
text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root $schedulerkubeconfig
scored: true
- id: 1.1.17
text: "Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod 600 $controllermanagerkubeconfig
scored: true
- id: 1.1.18
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown -R root:root /etc/kubernetes/pki/
scored: true
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"
audit: "find /etc/kubernetes/pki/ -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.crt
scored: false
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
audit: "find /etc/kubernetes/pki/ -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
scored: false
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the below parameter.
--anonymous-auth=false
scored: false
- id: 1.2.2
text: "Ensure that the --token-auth-file parameter is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--token-auth-file"
set: false
remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the API server pod specification file $apiserverconf
on the control plane node and remove the --token-auth-file=<filename> parameter.
scored: true
- id: 1.2.3
text: "Ensure that the --DenyServiceExternalIPs is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: nothave
value: "DenyServiceExternalIPs"
- flag: "--enable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and remove the `DenyServiceExternalIPs`
from enabled admission plugins.
scored: true
- id: 1.2.4
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
- flag: "--kubelet-client-key"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file
$apiserverconf on the control plane node and set the
kubelet client certificate and key parameters as below.
--kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file>
scored: true
- id: 1.2.5
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
remediation: |
Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
$apiserverconf on the control plane node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
scored: true
- id: 1.2.6
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --authorization-mode parameter to values other than AlwaysAllow.
One such example could be as below.
--authorization-mode=RBAC
scored: true
- id: 1.2.7
text: "Ensure that the --authorization-mode argument includes Node (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "Node"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
scored: true
- id: 1.2.8
text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "RBAC"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --authorization-mode parameter to a value that includes RBAC,
for example `--authorization-mode=Node,RBAC`.
scored: true
- id: 1.2.9
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "EventRateLimit"
remediation: |
Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
scored: false
- id: 1.2.10
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: nothave
value: AlwaysAdmit
- flag: "--enable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and either remove the --enable-admission-plugins parameter, or set it to a
value that does not include AlwaysAdmit.
scored: true
- id: 1.2.11
text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "AlwaysPullImages"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
scored: false
- id: 1.2.12
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "SecurityContextDeny"
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
scored: false
- id: 1.2.13
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "ServiceAccount"
- flag: "--disable-admission-plugins"
set: false
remediation: |
Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and ensure that the --disable-admission-plugins parameter is set to a
value that does not include ServiceAccount.
scored: true
- id: 1.2.14
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "NamespaceLifecycle"
- flag: "--disable-admission-plugins"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --disable-admission-plugins parameter to
ensure it does not include NamespaceLifecycle.
scored: true
- id: 1.2.15
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "NodeRestriction"
remediation: |
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the --enable-admission-plugins parameter to a
value that includes NodeRestriction.
--enable-admission-plugins=...,NodeRestriction,...
scored: true
- id: 1.2.16
text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--secure-port"
compare:
op: gt
value: 0
- flag: "--secure-port"
set: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and either remove the --secure-port parameter or
set it to a different (non-zero) desired port.
scored: true
- id: 1.2.17
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the below parameter.
--profiling=false
scored: true
- id: 1.2.18
text: "Ensure that the --audit-log-path argument is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-path"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example,
--audit-log-path=/var/log/apiserver/audit.log
scored: true
- id: 1.2.19
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxage"
compare:
op: gte
value: 30
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --audit-log-maxage parameter to 30
or as an appropriate number of days, for example,
--audit-log-maxage=30
scored: true
- id: 1.2.20
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxbackup"
compare:
op: gte
value: 10
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value. For example,
--audit-log-maxbackup=10
scored: true
- id: 1.2.21
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-log-maxsize"
compare:
op: gte
value: 100
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB, --audit-log-maxsize=100
scored: true
- id: 1.2.22
text: "Ensure that the --request-timeout argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: manual
remediation: |
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed.
For example, --request-timeout=300s
scored: false
- id: 1.2.23
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--service-account-lookup"
set: false
- flag: "--service-account-lookup"
compare:
op: eq
value: true
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the below parameter.
--service-account-lookup=true
Alternatively, you can delete the --service-account-lookup parameter from this file so
that the default takes effect.
scored: true
- id: 1.2.24
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-key-file"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and set the --service-account-key-file parameter
to the public key file for service accounts. For example,
--service-account-key-file=<filename>
scored: true
- id: 1.2.25
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--etcd-certfile"
- flag: "--etcd-keyfile"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the etcd certificate and key file parameters.
--etcd-certfile=<path/to/client-certificate-file>
--etcd-keyfile=<path/to/client-key-file>
scored: true
- id: 1.2.26
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
- flag: "--tls-private-key-file"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the TLS certificate and private key file parameters.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
scored: true
- id: 1.2.27
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--client-ca-file"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
scored: true
- id: 1.2.28
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the etcd certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.2.29
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--encryption-provider-config"
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the --encryption-provider-config parameter to the path of that file.
For example, --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: false
- id: 1.2.30
text: "Ensure that encryption providers are appropriately configured (Manual)"
audit: |
ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%')
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
tests:
test_items:
- flag: "provider"
compare:
op: valid_elements
value: "aescbc,kms,secretbox"
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
scored: false
- id: 1.2.31
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: valid_elements
value: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384"
remediation: |
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and set the below parameter.
--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
scored: false
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example, --terminated-pod-gc-threshold=10
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the below parameter.
--profiling=false
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--use-service-account-credentials"
compare:
op: noteq
value: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node to set the below parameter.
--use-service-account-credentials=true
scored: true
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--service-account-private-key-file"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --service-account-private-key-file parameter
to the private key file for service accounts.
--service-account-private-key-file=<filename>
scored: true
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
- flag: "--root-ca-file"
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --root-ca-file parameter to the certificate bundle file`.
--root-ca-file=<path/to/file>
scored: true
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "RotateKubeletServerCertificate=false"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true
scored: true
- id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter
scored: true
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf file
on the control plane node and set the below parameter.
--profiling=false
scored: true
- id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
Edit the Scheduler pod specification file $schedulerconf
on the control plane node and ensure the correct value for the --bind-address parameter
scored: true

462
cfg/cis-1.24/node.yaml
View File

@@ -1,462 +0,0 @@
---
controls:
version: "cis-1.24"
id: 4
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 4.1
text: "Worker Node Configuration Files"
checks:
- id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example, chmod 600 $kubeletsvc
scored: true
- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletsvc
scored: true
- id: 4.1.3
text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: "permissions"
set: true
compare:
op: bitmask
value: "600"
- flag: "$proxykubeconfig"
set: false
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 600 $proxykubeconfig
scored: false
- id: 4.1.4
text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig
scored: false
- id: 4.1.5
text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 600 $kubeletkubeconfig
scored: true
- id: 4.1.6
text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: true
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the following command to modify the file permissions of the
--client-ca-file chmod 600 <filename>
scored: false
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
Run the following command to modify the ownership of the --client-ca-file.
chown root:root <filename>
scored: false
- id: 4.1.9
text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 600 $kubeletconf
scored: false
- id: 4.1.10
text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: false
- id: 4.2
text: "Kubelet"
checks:
- id: 4.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to
`false`.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
`--anonymous-auth=false`
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit the file to set `authorization.mode` to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
remediation: |
If using a Kubelet config file, edit the file to set `authentication.x509.clientCAFile` to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.4
text: "Verify that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
compare:
op: eq
value: 0
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: false
remediation: |
If using a Kubelet config file, edit the file to set `readOnlyPort` to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit the file to set `protectKernelDefaults` to `true`.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set `makeIPTablesUtilChains` to `true`.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.8
text: "Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.9
text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set `eventRecordQPS` to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cert-file
path: '{.tlsCertFile}'
- flag: --tls-private-key-file
path: '{.tlsPrivateKeyFile}'
remediation: |
If using a Kubelet config file, edit the file to set `tlsCertFile` to the location
of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile`
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
path: '{.rotateCertificates}'
compare:
op: eq
value: true
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to add the line `rotateCertificates` to `true` or
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
compare:
op: nothave
value: false
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --tls-cipher-suites
path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
compare:
op: valid_elements
value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
remediation: |
If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false

269
cfg/cis-1.24/policies.yaml
View File

@@ -1,269 +0,0 @@
---
controls:
version: "cis-1.24"
id: 5
text: "Kubernetes Policies"
type: "policies"
groups:
- id: 5.1
text: "RBAC and Service Accounts"
checks:
- id: 5.1.1
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
scored: false
- id: 5.1.2
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to Secret objects in the cluster.
scored: false
- id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
scored: false
- id: 5.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
scored: false
- id: 5.1.7
text: "Avoid use of system:masters group (Manual)"
type: "manual"
remediation: |
Remove the system:masters group from all users in the cluster.
scored: false
- id: 5.1.8
text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
type: "manual"
remediation: |
Where possible, remove the impersonate, bind and escalate rights from subjects.
scored: false
- id: 5.2
text: "Pod Security Standards"
checks:
- id: 5.2.1
text: "Ensure that the cluster has at least one active policy control mechanism in place (Manual)"
type: "manual"
remediation: |
Ensure that either Pod Security Admission or an external policy control system is in place
for every namespace which contains user workloads.
scored: false
- id: 5.2.2
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of privileged containers.
scored: false
- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostPID` containers.
scored: false
- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostIPC` containers.
scored: false
- id: 5.2.5
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostNetwork` containers.
scored: false
- id: 5.2.6
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
scored: false
- id: 5.2.7
text: "Minimize the admission of root containers (Automated)"
type: "manual"
remediation: |
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot`
or `MustRunAs` with the range of UIDs not including 0, is set.
scored: false
- id: 5.2.8
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with the `NET_RAW` capability.
scored: false
- id: 5.2.9
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that `allowedCapabilities` is not present in policies for the cluster unless
it is set to an empty array.
scored: false
- id: 5.2.10
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 5.2.11
text: "Minimize the admission of Windows HostProcess containers (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`.
scored: false
- id: 5.2.12
text: "Minimize the admission of HostPath volumes (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `hostPath` volumes.
scored: false
- id: 5.2.13
text: "Minimize the admission of containers which use HostPorts (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use `hostPort` sections.
scored: false
- id: 5.3
text: "Network Policies and CNI"
checks:
- id: 5.3.1
text: "Ensure that the CNI in use supports NetworkPolicies (Manual)"
type: "manual"
remediation: |
If the CNI plugin in use does not support network policies, consideration should be given to
making use of a different plugin, or finding an alternate mechanism for restricting traffic
in the Kubernetes cluster.
scored: false
- id: 5.3.2
text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 5.4
text: "Secrets Management"
checks:
- id: 5.4.1
text: "Prefer using Secrets as files over Secrets as environment variables (Manual)"
type: "manual"
remediation: |
If possible, rewrite application code to read Secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: 5.4.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the Secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 5.5
text: "Extensible Admission Control"
checks:
- id: 5.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 5.7
text: "General Policies"
checks:
- id: 5.7.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"
type: "manual"
remediation: |
Use `securityContext` to enable the docker/default seccomp profile in your pod definitions.
An example is as below:
securityContext:
seccompProfile:
type: RuntimeDefault
scored: false
- id: 5.7.3
text: "Apply SecurityContext to your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply SecurityContexts to your Pods. For a
suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 5.7.4
text: "The default namespace should not be used (Manual)"
type: "manual"
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
scored: false

16
cfg/cis-1.5/master.yaml
View File

@@ -158,13 +158,7 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "permissions"
@@ -182,13 +176,7 @@ groups:
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G $DATA_DIR
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

42
cfg/cis-1.6-k3s/config.yaml
View File

@@ -1,42 +0,0 @@
---
## Version-specific settings that override the values in cfg/config.yaml
master:
components:
- scheduler
- controllermanager
- node
scheduler:
kubeconfig:
- /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig
defaultkubeconfig: /var/lib/rancher/k3s/server/cred/scheduler.kubeconfig
controllermanager:
kubeconfig:
- /var/lib/rancher/k3s/server/cred/cloud-controller.kubeconfig
defaultkubeconfig: /var/lib/rancher/k3s/server/cred/cloud-controller.kubeconfig
etcd:
components:
- etcd
etcd:
confs:
- /var/lib/rancher/k3s/server/db/etcd/config
defaultconf: /var/lib/rancher/k3s/server/db/etcd/config
node:
components:
- proxy
- kubelet
proxy:
kubeconfig:
- "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"
defaultkubeconfig: "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig"
kubelet:
kubeconfig:
- "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
defaultkubeconfig: "/var/lib/rancher/k3s/agent/kubelet.kubeconfig"
cafile:
- "/var/lib/rancher/k3s/server/tls/server-ca.crt"
defaultcafile: "/var/lib/rancher/k3s/server/tls/server-ca.crt"

40
cfg/cis-1.6-k3s/controlplane.yaml
View File

@@ -1,40 +0,0 @@
---
controls:
version: "cis-1.6-k3s"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false
- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-policy-file"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster and pass it to k3s.
e.g. --kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit-log'
scored: true
- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Consider modification of the audit policy in use on the cluster to include these items, at a
minimum.
scored: false

119
cfg/cis-1.6-k3s/etcd.yaml
View File

@@ -1,119 +0,0 @@
---
controls:
version: "cis-1.6-k3s"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration Files"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate if use etcd as database (Automated)"
audit: grep -A 4 'client-transport-security' $etcdconf | grep -E 'cert-file|key-file'
tests:
bin_op: and
test_items:
- flag: "cert-file"
- flag: "key-file"
remediation: |
By default, K3s uses a config file for etcd that can be found at $etcdconf.
The config file contains client-transport-security: which has fields that have the peer cert and peer key files. No manual remediation needed.
scored: true
- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: grep 'client-cert-auth' $etcdconf
tests:
test_items:
- flag: "client-cert-auth"
compare:
op: eq
value: true
remediation: |
By default, K3s uses a config file for etcd that can be found at $etcdconf.
client-cert-auth is set to true. No manual remediation needed.
scored: true
- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: grep 'auto-tls' $etcdconf | cat
tests:
bin_op: or
test_items:
- flag: "auto-tls"
set: false
- flag: "auto-tls"
compare:
op: eq
value: false
remediation: |
By default, K3s starts Etcd without this flag. It is set to false by default.
scored: true
- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Automated)"
audit: grep -A 4 'peer-transport-security' $etcdconf | grep -E 'cert-file|key-file'
tests:
bin_op: and
test_items:
- flag: "cert-file"
- flag: "key-file"
remediation: |
By default, K3s starts Etcd with a config file found here, $etcdconf.
The config file contains peer-transport-security: which has fields that have the peer cert and peer key files.
scored: true
- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: grep -A 4 'peer-transport-security' $etcdconf | grep 'client-cert-auth'
tests:
test_items:
- flag: "client-cert-auth"
compare:
op: eq
value: true
remediation: |
By default, K3s uses a config file for etcd that can be found at $etcdconf.
The config file contains peer-transport-security: which has client-cert-auth set to true. No manual remediation needed.
scored: true
- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: grep 'peer-auto-tls' $etcdconf | cat
tests:
bin_op: or
test_items:
- flag: "peer-auto-tls"
set: false
- flag: "peer-auto-tls"
compare:
op: eq
value: false
remediation: |
By default, K3s uses a config file for etcd that can be found at $etcdconf.
Within the file, it does not contain the peer-auto-tls field. No manual remediation needed.
scored: true
- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: |
if [ -f "$etcdconf" ];then
etcd_ca=$(grep 'trusted-ca-file' $etcdconf | awk -F ":|: *" '{print $NF}');
apiserver_ca=$(journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "trusted-ca-file" | awk -F "=" '{print $NF}')
if [ "$etcd_ca" == "$apiserver_ca" ]; then
echo 'etcd_and_apiserver_have_same_ca';
else
echo 'etcd_and_apiserver_ca_not_same1' ;
fi
else
echo 'etcd_and_apiserver_ca_not_same'; return ;
fi
tests:
test_items:
- flag: "etcd_and_apiserver_ca_not_same"
remediation: |
By default, K3s uses a config file for etcd that can be found at $etcdconf
and the trusted-ca-file parameters in it are set to unique values specific to etcd. No manual remediation needed.
scored: false

786
cfg/cis-1.6-k3s/master.yaml
View File

@@ -1,786 +0,0 @@
---
controls:
version: "cis-1.6-k3s"
id: 1
text: "Master Node Security Configuration"
type: "master"
groups:
- id: 1.1
text: "Master Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.2
text: "Ensure that the API server pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.3
text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.4
text: "Ensure that the controller manager pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.5
text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.6
text: "Ensure that the scheduler pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.7
text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Not Applicable)"
scored: false
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive if etcd is used (Automated)"
audit: stat -c permissions=%a /var/lib/rancher/k3s/server/db/etcd
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "700"
remediation: |
On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
journalctl -u k3s | grep 'Managed etcd' | grep -v grep
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/rancher/k3s/server/db/etcd
scored: true
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd if etcd is used (Not Applicable)"
scored: false
- id: 1.1.13
text: "Ensure that the admin.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c permissions=%a /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chmod 644 /var/lib/rancher/k3s/server/cred/admin.kubeconfig
scored: true
- id: 1.1.14
text: "Ensure that the admin.kubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e /var/lib/rancher/k3s/server/cred/admin.kubeconfig; then stat -c %U:%G /var/lib/rancher/k3s/server/cred/admin.kubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown root:root /var/lib/rancher/k3s/server/cred/admin.kubeconfig
scored: true
- id: 1.1.15
text: "Ensure that the scheduler.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chmod 644 $schedulerkubeconfig
scored: true
- id: 1.1.16
text: "Ensure that the scheduler.kubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown root:root $schedulerkubeconfig
scored: true
- id: 1.1.17
text: "Ensure that the cloud-controller.kubeconfig file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 $controllermanagerkubeconfig
scored: true
- id: 1.1.18
text: "Ensure that the $controllermanagerkubeconfig file ownership is set to root:root (Automated)"
audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root $controllermanagerkubeconfig
scored: true
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: "stat -c %U:%G /var/lib/rancher/k3s/server/tls"
use_multiple_values: true
tests:
test_items:
- flag: "root:root"
remediation: |
Run the below command (based on the file location on your system) on the k3s node.
For example,
chown -R root:root /var/lib/rancher/k3s/server/tls
scored: true
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated)"
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /var/lib/rancher/k3s/server/tls/*.crt
scored: true
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit: "find /var/lib/rancher/k3s/server/tls/ -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
remediation: |
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
- id: 1.2
text: "API Server"
checks:
- id: 1.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
remediation: |
By default, K3s kube-apiserver is configured to run with --anonymous-auth=false flag and value.
scored: false
- id: 1.2.2
text: "Ensure that the --basic-auth-file argument is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "basic-auth-file" | cat
tests:
test_items:
- flag: "--basic-auth-file"
set: false
remediation: |
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
scored: true
- id: 1.2.3
text: "Ensure that the --token-auth-file parameter is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "token-auth-file" | cat
tests:
test_items:
- flag: "--token-auth-file"
set: false
remediation: |
By default, K3s does not run with basic authentication enabled. No manual remediation is needed.
scored: true
- id: 1.2.4
text: "Ensure that the --kubelet-https argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-https" | cat
tests:
bin_op: or
test_items:
- flag: "--kubelet-https"
compare:
op: eq
value: true
- flag: "--kubelet-https"
set: false
remediation: |
By default, K3s kube-apiserver doesn't run with the --kubelet-https parameter as it runs with TLS. No manual remediation is needed.
scored: true
- id: 1.2.5
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'kubelet-client-certificate|kubelet-client-key'
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
- flag: "--kubelet-client-key"
remediation: |
By default, K3s kube-apiserver is ran with these arguments for secure communication with kubelet. No manual remediation is needed.
scored: true
- id: 1.2.6
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "kubelet-certificate-authority"
tests:
test_items:
- flag: "--kubelet-certificate-authority"
remediation: |
By default, K3s kube-apiserver is ran with this argument for secure communication with kubelet. No manual remediation is needed.
scored: true
- id: 1.2.7
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: nothave
value: "AlwaysAllow"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.8
text: "Ensure that the --authorization-mode argument includes Node (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "Node"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.9
text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: "--authorization-mode"
compare:
op: has
value: "RBAC"
remediation: |
By default, K3s sets Node,RBAC as the parameter to the --authorization-mode argument. No manual remediation is needed.
scored: true
- id: 1.2.10
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "EventRateLimit"
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: false
- id: 1.2.11
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: nothave
value: AlwaysAdmit
- flag: "--enable-admission-plugins"
set: false
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
No manual remediation needed.
scored: true
- id: 1.2.12
text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "AlwaysPullImages"
remediation: |
By default, K3s only sets NodeRestriction,PodSecurityPolicy as the parameter to the --enable-admission-plugins argument.
To configure this, follow the Kubernetes documentation and set the desired limits in a configuration file.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: false
- id: 1.2.13
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "SecurityContextDeny"
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
K3s would need to have the SecurityContextDeny admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=SecurityContextDeny
scored: false
- id: 1.2.14
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "ServiceAccount"
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "ServiceAccount"
- flag: "--disable-admission-plugins"
set: false
remediation: |
By default, K3s does not use this argument.
If there's a desire to use this argument, follow the documentation and create ServiceAccount objects as per your environment.
Then refer to K3s's documentation to see how to supply additional api server configuration via the kube-apiserver-arg parameter.
scored: true
- id: 1.2.15
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "disable-admission-plugins" | cat
tests:
bin_op: or
test_items:
- flag: "--disable-admission-plugins"
compare:
op: nothave
value: "NamespaceLifecycle"
- flag: "--disable-admission-plugins"
set: false
remediation: |
By default, K3s does not use this argument. No manual remediation needed.
scored: true
- id: 1.2.16
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
K3s would need to have the PodSecurityPolicy admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=PodSecurityPolicy.
scored: true
- id: 1.2.17
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "NodeRestriction"
remediation: |
K3s would need to have the NodeRestriction admission plugin enabled by passing it as an argument to K3s.
--kube-apiserver-arg='enable-admission-plugins=NodeRestriction.
scored: true
- id: 1.2.18
text: "Ensure that the --insecure-bind-address argument is not set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "enable-admission-plugins"
tests:
test_items:
- flag: "--insecure-bind-address"
set: false
remediation: |
By default, K3s explicitly excludes the use of the --insecure-bind-address parameter. No manual remediation is needed.
scored: true
- id: 1.2.19
text: "Ensure that the --insecure-port argument is set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "insecure-port"
tests:
test_items:
- flag: "--insecure-port"
compare:
op: eq
value: 0
remediation: |
By default, K3s starts the kube-apiserver process with this argument's parameter set to 0. No manual remediation is needed.
scored: true
- id: 1.2.20
text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "secure-port"
tests:
bin_op: or
test_items:
- flag: "--secure-port"
compare:
op: gt
value: 0
- flag: "--secure-port"
set: false
remediation: |
By default, K3s sets the parameter of 6444 for the --secure-port argument. No manual remediation is needed.
scored: true
- id: 1.2.21
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.2.22
text: "Ensure that the --audit-log-path argument is set (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-path"
tests:
test_items:
- flag: "--audit-log-path"
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-path=/path/to/log/file'
scored: true
- id: 1.2.23
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxage"
tests:
test_items:
- flag: "--audit-log-maxage"
compare:
op: gte
value: 30
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxage=30'
scored: true
- id: 1.2.24
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxbackup"
tests:
test_items:
- flag: "--audit-log-maxbackup"
compare:
op: gte
value: 10
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxbackup=10'
scored: true
- id: 1.2.25
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "audit-log-maxsize"
tests:
test_items:
- flag: "--audit-log-maxsize"
compare:
op: gte
value: 100
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='audit-log-maxsize=100'
scored: true
- id: 1.2.26
text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "request-timeout" | cat
tests:
bin_op: or
test_items:
- flag: "--request-timeout"
set: false
- flag: "--request-timeout"
compare:
op: lte
value: 60
remediation: |
By default, K3s does not set the --request-timeout argument. No manual remediation needed.
scored: true
- id: 1.2.27
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-lookup"
tests:
bin_op: or
test_items:
- flag: "--service-account-lookup"
set: false
- flag: "--service-account-lookup"
compare:
op: eq
value: true
remediation: |
K3s server needs to be run with the following argument, --kube-apiserver-arg='service-account-lookup=true'
scored: true
- id: 1.2.28
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "service-account-key-file"
tests:
test_items:
- flag: "--service-account-key-file"
remediation: |
By default, K3s sets the --service-account-key-file explicitly. No manual remediation needed.
scored: true
- id: 1.2.29
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-certfile|etcd-keyfile'
tests:
bin_op: and
test_items:
- flag: "--etcd-certfile"
- flag: "--etcd-keyfile"
remediation: |
By default, K3s sets the --etcd-certfile and --etcd-keyfile arguments explicitly. No manual remediation needed.
scored: true
- id: 1.2.30
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'tls-cert-file|tls-private-key-file'
tests:
bin_op: and
test_items:
- flag: "--tls-cert-file"
- flag: "--tls-private-key-file"
remediation: |
By default, K3s sets the --tls-cert-file and --tls-private-key-file arguments explicitly. No manual remediation needed.
scored: true
- id: 1.2.31
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"
tests:
test_items:
- flag: "--client-ca-file"
remediation: |
By default, K3s sets the --client-ca-file argument explicitly. No manual remediation needed.
scored: true
- id: 1.2.32
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E 'etcd-cafile'
tests:
test_items:
- flag: "--etcd-cafile"
remediation: |
By default, K3s sets the --etcd-cafile argument explicitly. No manual remediation needed.
scored: true
- id: 1.2.33
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep -E "encryption-provider-config"
tests:
test_items:
- flag: "--encryption-provider-config"
remediation: |
K3s server needs to be ran with the follow, --kube-apiserver-arg='encryption-provider-config=/path/to/encryption_config'.
This can be done by running k3s with the --secrets-encryptiuon argument which will configure the encryption provider.
scored: false
- id: 1.2.34
text: "Ensure that encryption providers are appropriately configured (Manual)"
type: manual
remediation: |
K3s server needs to be run with the following, --secrets-encryption=true, and verify that one of the allowed encryption providers is present.
Run the below command on the master node.
grep aescbc /path/to/encryption-config.json
Verify that aescbc/kms/secretbox is set as the encryption provider for all the desired resources.
scored: true
- id: 1.2.35
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "tls-cipher-suites"
tests:
test_items:
- flag: "--tls-cipher-suites"
compare:
op: valid_elements
value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
remediation: |
By default, K3s explicitly doesn't set this flag. No manual remediation needed.
scored: false
- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
audit: |
journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "terminated-pod-gc-threshold"
tests:
test_items:
- flag: "--terminated-pod-gc-threshold"
remediation: |
K3s server needs to be run with the following, --kube-controller-manager-arg='terminated-pod-gc-threshold=10.
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "use-service-account-credentials"
tests:
test_items:
- flag: "--use-service-account-credentials"
compare:
op: noteq
value: false
remediation: |
K3s server needs to be run with the following, --kube-controller-manager-arg='use-service-account-credentials=true'
scored: true
- id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "service-account-private-key-file"
tests:
test_items:
- flag: "--service-account-private-key-file"
remediation: |
By default, K3s sets the --service-account-private-key-file argument with the service account key file. No manual remediation needed.
scored: true
- id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "root-ca-file"
tests:
test_items:
- flag: "--root-ca-file"
remediation: |
By default, K3s sets the --root-ca-file argument with the root ca file. No manual remediation needed.
scored: true
- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "RotateKubeletServerCertificate" | cat
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "RotateKubeletServerCertificate=false"
set: true
- flag: "--feature-gates"
set: false
remediation: |
By default, K3s implements its own logic for certificate generation and rotation.
scored: true
- id: 1.3.7
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
scored: true
- id: 1.4
text: "Scheduler"
checks:
- id: 1.4.1
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-scheduler" | tail -n1 | grep "profiling"
tests:
test_items:
- flag: "--profiling"
compare:
op: eq
value: false
remediation: |
By default, K3s sets the --profiling flag parameter to false. No manual remediation needed.
scored: true
- id: 1.4.2
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: journalctl -u k3s | grep "Running kube-controller-manager" | tail -n1 | grep "bind-address"
tests:
bin_op: or
test_items:
- flag: "--bind-address"
compare:
op: eq
value: "127.0.0.1"
- flag: "--bind-address"
set: false
remediation: |
By default, K3s sets the --bind-address argument to 127.0.0.1. No manual remediation needed.
scored: true

253
cfg/cis-1.6-k3s/node.yaml
View File

@@ -1,253 +0,0 @@
---
controls:
version: "cis-1.6-k3s"
id: 4
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 4.1
text: "Worker Node Configuration Files"
checks:
- id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 4.1.2
text: "Ensure that the kubelet service file ownership is set to root:root (Not Applicable)"
scored: false
- id: 4.1.3
text: "If proxy kubeproxy.kubeconfig file exists ensure permissions are set to 644 or more restrictive (Automated)"
audit: stat -c %a $proxykubeconfig
tests:
bin_op: or
test_items:
- flag: "permissions"
set: true
compare:
op: bitmask
value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $proxykubeconfig
scored: true
- id: 4.1.4
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig
scored: true
- id: 4.1.5
text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
By default, K3s creates $kubeletkubeconfig with 644 permissions. No manual remediation needed.
scored: true
- id: 4.1.6
text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
By default, K3s creates $kubeletkubeconfig with root:root ownership. No manual remediation needed.
scored: true
- id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Automated)"
audit: stat -c permissions=%a $kubeletcafile
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
By default, K3s creates $kubeletcafile with 644 permissions.
scored: true
- id: 4.1.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Automated)"
audit: stat -c %U:%G $kubeletcafile
tests:
test_items:
- flag: root:root
compare:
op: eq
value: root:root
remediation: |
By default, K3s creates $kubeletcafile with root:root ownership.
scored: true
- id: 4.1.9
text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Not Applicable)"
scored: false
- id: 4.1.10
text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Not Applicable)"
scored: false
- id: 4.2
text: "Kubelet"
checks:
- id: 4.2.1
text: "Ensure that the anonymous-auth argument is set to false (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth"
tests:
test_items:
- flag: "--anonymous-auth"
compare:
op: eq
value: false
remediation: |
By default, K3s starts kubelet with --anonymous-auth set to false. No manual remediation needed.
scored: true
- id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"
tests:
test_items:
- flag: --authorization-mode
compare:
op: nothave
value: AlwaysAllow
remediation: |
K3s starts kubelet with Webhook as the value for the --authorization-mode argument. No manual remediation needed.
scored: true
- id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: journalctl -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"
tests:
test_items:
- flag: --client-ca-file
remediation: |
By default, K3s starts the kubelet process with the --client-ca-file. No manual remediation needed.
scored: true
- id: 4.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kubelet" | tail -n1 | grep "read-only-port"
tests:
bin_op: or
test_items:
- flag: "--read-only-port"
compare:
op: eq
value: 0
- flag: "--read-only-port"
set: false
remediation: |
By default, K3s starts the kubelet process with the --read-only-port argument set to 0.
scored: false
- id: 4.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
audit: journalctl -u k3s | grep "Running kubelet" | tail -n1 | grep "streaming-connection-idle-timeout"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
set: false
bin_op: or
remediation: |
By default, K3s does not set --streaming-connection-idle-timeout when starting kubelet.
scored: true
- id: 4.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kubelet" | tail -n1 | grep "protect-kernel-defaults"
tests:
test_items:
- flag: --protect-kernel-defaults
compare:
op: eq
value: true
remediation: |
K3s server needs to be started with the following, --protect-kernel-defaults=true.
scored: true
- id: 4.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
audit: journalctl -u k3s | grep "Running kubelet" | tail -n1 | grep "make-iptables-util-chains"
tests:
test_items:
- flag: --make-iptables-util-chains
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
set: false
bin_op: or
remediation: |
K3s server needs to be run with the following, --kube-apiserver-arg='make-iptables-util-chains=true'.
scored: true
- id: 4.2.8
text: "Ensure that the --hostname-override argument is not set (Not Applicable)"
scored: false
- id: 4.2.9
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
audit: /bin/ps -fC containerd
tests:
test_items:
- flag: --event-qps
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
audit: journalctl -u k3s | grep "Running kubelet" | tail -n1 | grep -E 'tls-cert-file|tls-private-key-file'
tests:
test_items:
- flag: --tls-cert-file
- flag: --tls-private-key-file
remediation: |
By default, K3s sets the --tls-cert-file and --tls-private-key-file arguments when executing the kubelet process.
scored: false
- id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Not Applicable)"
scored: false
- id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Not Applicable)"
scored: false
- id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Applicable)"
scored: false

260
cfg/cis-1.6-k3s/policies.yaml
View File

@@ -1,260 +0,0 @@
---
controls:
version: "cis-1.6-k3s"
id: 5
text: "Kubernetes Policies"
type: "policies"
groups:
- id: 5.1
text: "RBAC and Service Accounts"
checks:
- id: 5.1.1
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
scored: false
- id: 5.1.2
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false
- id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
kubectl get roles --all-namespaces -o yaml
kubectl get clusterroles -o yaml
scored: false
- id: 5.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
scored: false
- id: 5.2
text: "Pod Security Policies"
checks:
- id: 5.2.1
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
kubectl describe psp <psp_name> | grep MustRunAsNonRoot
An operator should apply a PodSecurityPolicy that sets the Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostPID == null) or (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}'
An operator should apply a PodSecurityPolicy that sets the hostPID value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostIPC == null) or (.spec.hostIPC == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}'
An operator should apply a PodSecurityPolicy that sets the HostIPC value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.hostNetwork == null) or (.spec.hostNetwork == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}'
An operator should apply a PodSecurityPolicy that sets the HostNetwork value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}'
An operator should apply a PodSecurityPolicy that sets the allowPrivilegeEscalation value to false explicitly for the PSP it creates. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.6
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
kubectl get psp -o json | jq .items[] | jq -r 'select((.spec.allowPrivilegeEscalation == null) or (.spec.allowPrivilegeEscalation == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}'
An operator should apply a PodSecurityPolicy that sets the runAsUser.Rule value to MustRunAsNonRoot. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
type: "manual"
remediation: |
kubectl get psp <psp_name> -o json | jq .spec.requiredDropCapabilities[]
An operator should apply a PodSecurityPolicy that sets .spec.requiredDropCapabilities[] to a value of All. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.8
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
kubectl get psp
An operator should apply a PodSecurityPolicy that sets allowedCapabilities to anything other than an empty array. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.2.9
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
kubectl get psp
An operator should apply a PodSecurityPolicy that sets requiredDropCapabilities to ALL. An example of this can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.3
text: "Network Policies and CNI"
checks:
- id: 5.3.1
text: "Ensure that the CNI in use supports Network Policies (Manual)"
type: "manual"
remediation: |
By default, K3s use Canal (Calico and Flannel) and fully supports network policies.
scored: false
- id: 5.3.2
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
type: "manual"
remediation: |
Run the below command on the master node.
for i in kube-system kube-public default; do
kubectl get networkpolicies -n $i;
done
Verify that there are network policies applied to each of the namespaces.
An operator should apply NetworkPolcyies that prevent unneeded traffic from traversing networks unnecessarily. An example of applying a NetworkPolcy can be found in the Hardening Guide.
https://docs.rancher.cn/docs/k3s/security/hardening-guide/_index
scored: false
- id: 5.4
text: "Secrets Management"
checks:
- id: 5.4.1
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual"
remediation: |
Run the following command to find references to objects which use environment variables defined from secrets.
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
if possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: 5.4.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 5.5
text: "Extensible Admission Control"
checks:
- id: 5.5.1
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 5.7
text: "General Policies"
checks:
- id: 5.7.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
audit: kubectl get namespaces
type: "manual"
remediation: |
Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
type: "manual"
remediation: |
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
parameter to "--feature-gates=AllAlpha=true"
KUBE_API_ARGS="--feature-gates=AllAlpha=true"
Based on your system, restart the kube-apiserver service. For example:
systemctl restart kube-apiserver.service
Use annotations to enable the docker/default seccomp profile in your pod definitions. An
example is as below:
apiVersion: v1
kind: Pod
metadata:
name: trustworthy-pod
annotations:
seccomp.security.alpha.kubernetes.io/pod: docker/default
spec:
containers:
- name: trustworthy-container
image: sotrustworthy:latest
scored: false
- id: 5.7.3
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 5.7.4
text: "The default namespace should not be used (Manual)"
type: "manual"
remediation: |
Run the below command on the master node.
kubectl get all -n default
The only entries there should be system-managed resources such as the kubernetes service.
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
scored: false

16
cfg/cis-1.6/master.yaml
View File

@@ -153,13 +153,7 @@ groups:
- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c permissions=%a "$DATA_DIR"
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
tests:
test_items:
- flag: "permissions"
@@ -176,13 +170,7 @@ groups:
- id: 1.1.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
audit: |
DATA_DIR=''
for d in $(ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%'); do
if test -d "$d"; then DATA_DIR="$d"; fi
done
if ! test -d "$DATA_DIR"; then DATA_DIR=$etcddatadir; fi
stat -c %U:%G $DATA_DIR
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
tests:
test_items:
- flag: "etcd:etcd"

34
cfg/config.yaml
View File

@@ -89,9 +89,6 @@ master:
bins:
- "etcd"
- "openshift start etcd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml
@@ -102,7 +99,6 @@ master:
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd
flanneld:
optional: true
@@ -215,9 +211,6 @@ etcd:
etcd:
bins:
- "etcd"
datadirs:
- /var/lib/etcd/default.etcd
- /var/lib/etcd/data.etcd
confs:
- /etc/kubernetes/manifests/etcd.yaml
- /etc/kubernetes/manifests/etcd.yml
@@ -228,7 +221,6 @@ etcd:
- /var/snap/microk8s/current/args/etcd
- /usr/lib/systemd/system/etcd.service
defaultconf: /etc/kubernetes/manifests/etcd.yaml
defaultdatadir: /var/lib/etcd/default.etcd
controlplane:
components:
@@ -257,9 +249,7 @@ version_mapping:
"1.21": "cis-1.20"
"1.22": "cis-1.23"
"1.23": "cis-1.23"
"1.24": "cis-1.24"
"eks-1.0.1": "eks-1.0.1"
"eks-1.1.0": "eks-1.1.0"
"gke-1.0": "gke-1.0"
"gke-1.2.0": "gke-1.2.0"
"ocp-3.10": "rh-0.7"
@@ -267,7 +257,6 @@ version_mapping:
"ocp-4.0": "rh-1.0"
"aks-1.0": "aks-1.0"
"ack-1.0": "ack-1.0"
"cis-1.6-k3s": "cis-1.6-k3s"
target_mapping:
"cis-1.5":
@@ -282,12 +271,6 @@ target_mapping:
- "controlplane"
- "etcd"
- "policies"
"cis-1.6-k3s":
- "master"
- "node"
- "controlplane"
- "etcd"
- "policies"
"cis-1.20":
- "master"
- "node"
@@ -300,12 +283,6 @@ target_mapping:
- "controlplane"
- "etcd"
- "policies"
"cis-1.24":
- "master"
- "node"
- "controlplane"
- "etcd"
- "policies"
"gke-1.0":
- "master"
- "node"
@@ -325,12 +302,6 @@ target_mapping:
- "controlplane"
- "policies"
- "managedservices"
"eks-1.1.0":
- "master"
- "node"
- "controlplane"
- "policies"
- "managedservices"
"rh-0.7":
- "master"
- "node"
@@ -353,8 +324,3 @@ target_mapping:
- "controlplane"
- "policies"
- "etcd"
"eks-stig-kubernetes-v1r6":
- "node"
- "controlplane"
- "policies"
- "managedservices"

9
cfg/eks-1.1.0/config.yaml
View File

@@ -1,9 +0,0 @@
---
## Version-specific settings that override the values in cfg/config.yaml
## These settings are required if you are using the --asff option to report findings to AWS Security Hub
## AWS account number is required.
AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
## AWS region is required.
AWS_REGION: "<AWS_REGION>"
## EKS Cluster ARN is required.
CLUSTER_ARN: "<AWS_CLUSTER_ARN>"

14
cfg/eks-1.1.0/controlplane.yaml
View File

@@ -1,14 +0,0 @@
---
controls:
version: "eks-1.1.0"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "Logging"
checks:
- id: 2.1.1
text: "Enable audit logs (Manual)"
remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
scored: false

154
cfg/eks-1.1.0/managedservices.yaml
View File

@@ -1,154 +0,0 @@
---
controls:
version: "eks-1.1.0"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "Image Registry and Image Scanning"
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)"
type: "manual"
remediation: |
To utilize AWS ECR for Image scanning please follow the steps below:
To create a repository configured for scan on push (AWS CLI):
aws ecr create-repository --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
To edit the settings of an existing repository (AWS CLI):
aws ecr put-image-scanning-configuration --repository-name $REPO_NAME --image-scanning-configuration scanOnPush=true --region $REGION_CODE
Use the following steps to start a manual image scan using the AWS Management Console.
Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
From the navigation bar, choose the Region to create your repository in.
In the navigation pane, choose Repositories.
On the Repositories page, choose the repository that contains the image to scan.
On the Images page, select the image to scan and then choose Scan.
scored: false
- id: 5.1.2
text: "Minimize user access to Amazon ECR (Manual)"
type: "manual"
remediation: |
Before you use IAM to manage access to Amazon ECR, you should understand what IAM features
are available to use with Amazon ECR. To get a high-level view of how Amazon ECR and other
AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.
scored: false
- id: 5.1.3
text: "Minimize cluster access to read-only for Amazon ECR (Manual)"
type: "manual"
remediation: |
You can use your Amazon ECR images with Amazon EKS, but you need to satisfy the following prerequisites.
The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your worker nodes must possess
the following IAM policy permissions for Amazon ECR.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
scored: false
- id: 5.1.4
text: "Minimize Container Registries to only those approved (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.2
text: "Identity and Access Management (IAM)"
checks:
- id: 5.2.1
text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.3
text: "AWS Key Management Service (KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
type: "manual"
remediation: |
This process can only be performed during Cluster Creation.
Enable 'Secrets Encryption' during Amazon EKS cluster creation as described
in the links within the 'References' section.
scored: false
- id: 5.4
text: "Cluster Networking"
checks:
- id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.5
text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.5
text: "Authentication and Authorization"
checks:
- id: 5.5.1
text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)"
type: "manual"
remediation: |
Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS documentation.
scored: false
- id: 5.6
text: "Other Cluster Configurations"
checks:
- id: 5.6.1
text: "Consider Fargate for running untrusted workloads (Manual)"
type: "manual"
remediation: |
Create a Fargate profile for your cluster Before you can schedule pods running on Fargate
in your cluster, you must define a Fargate profile that specifies which pods should use
Fargate when they are launched. For more information, see AWS Fargate profile.
Note: If you created your cluster with eksctl using the --fargate option, then a Fargate profile has
already been created for your cluster with selectors for all pods in the kube-system
and default namespaces. Use the following procedure to create Fargate profiles for
any other namespaces you would like to use with Fargate.
scored: false

6
cfg/eks-1.1.0/master.yaml
View File

@@ -1,6 +0,0 @@
---
controls:
version: "eks-1.1.0"
id: 1
text: "Control Plane Components"
type: "master"

330
cfg/eks-1.1.0/node.yaml
View File

@@ -1,330 +0,0 @@
---
controls:
version: "eks-1.1.0"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "Worker Node Configuration Files"
checks:
- id: 3.1.1
text: "Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 $kubeletkubeconfig
scored: false
- id: 3.1.2
text: "Ensure that the kubelet kubeconfig file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: false
- id: 3.1.3
text: "Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: false
- id: 3.1.4
text: "Ensure that the kubelet configuration file ownership is set to root:root (Manual)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the following command (using the config file location identified in the Audit step)
chown root:root $kubeletconf
scored: false
- id: 3.2
text: "Kubelet"
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --client-ca-file
path: '{.authentication.x509.clientCAFile}'
set: true
remediation: |
If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: true
compare:
op: noteq
value: 0
- flag: --streaming-connection-idle-timeout
path: '{.streamingConnectionIdleTimeout}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.6
text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.7
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: true
compare:
op: eq
value: true
- flag: --make-iptables-util-chains
path: '{.makeIPTablesUtilChains}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: 3.2.8
text: "Ensure that the --hostname-override argument is not set (Manual)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.9
text: "Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --event-qps
path: '{.eventRecordQPS}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: true
compare:
op: eq
value: true
- flag: --rotate-certificates
path: '{.rotateCertificates}'
set: false
bin_op: or
remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
remove it altogether to use the default value.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: RotateKubeletServerCertificate
path: '{.featureGates.RotateKubeletServerCertificate}'
set: true
compare:
op: eq
value: true
remediation: |
Edit the kubelet service file $kubeletsvc
on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
--feature-gates=RotateKubeletServerCertificate=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: 3.3
text: "Container Optimized OS"
checks:
- id: 3.3.1
text: "Prefer using Container-Optimized OS when possible (Manual)"
remediation: "No remediation"
scored: false

205
cfg/eks-1.1.0/policies.yaml
View File

@@ -1,205 +0,0 @@
---
controls:
version: "eks-1.1.0"
id: 4
text: "Policies"
type: "policies"
groups:
- id: 4.1
text: "RBAC and Service Accounts"
checks:
- id: 4.1.1
text: "Ensure that the cluster-admin role is only used where required (Manual)"
type: "manual"
remediation: |
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
scored: false
- id: 4.1.2
text: "Minimize access to secrets (Manual)"
type: "manual"
remediation: |
Where possible, remove get, list and watch access to secret objects in the cluster.
scored: false
- id: 4.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
type: "manual"
remediation: |
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
scored: false
- id: 4.1.4
text: "Minimize access to create pods (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to pod objects in the cluster.
scored: false
- id: 4.1.5
text: "Ensure that default service accounts are not actively used. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: 4.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
type: "manual"
remediation: |
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
scored: false
- id: 4.2
text: "Pod Security Policies"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array.
scored: false
- id: 4.2.9
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 4.3
text: "CNI Plugin"
checks:
- id: 4.3.1
text: "Ensure that the latest CNI version is used (Manual)"
type: "manual"
remediation: |
Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
scored: false
- id: 4.3.2
text: "Ensure that all Namespaces have Network Policies defined (Manual)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 4.4
text: "Secrets Management"
checks:
- id: 4.4.1
text: "Prefer using secrets as files over secrets as environment variables (Manual)"
type: "manual"
remediation: |
If possible, rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: 4.4.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false
- id: 4.5
text: "Extensible Admission Control"
checks: []
- id: 4.6
text: "General Policies"
checks:
- id: 4.6.1
text: "Create administrative boundaries between resources using namespaces (Manual)"
type: "manual"
remediation: |
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false
- id: 4.6.2
text: "Apply Security Context to Your Pods and Containers (Manual)"
type: "manual"
remediation: |
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false
- id: 4.6.3
text: "The default namespace should not be used (Manual)"
type: "manual"
remediation: |
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
scored: false

9
cfg/eks-stig-kubernetes-v1r6/config.yaml
View File

@@ -1,9 +0,0 @@
---
## Version-specific settings that override the values in cfg/config.yaml
## These settings are required if you are using the --asff option to report findings to AWS Security Hub
## AWS account number is required.
AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
## AWS region is required.
AWS_REGION: "<AWS_REGION>"
## EKS Cluster ARN is required.
CLUSTER_ARN: "<AWS_CLUSTER_ARN>"

124
cfg/eks-stig-kubernetes-v1r6/controlplane.yaml
View File

@@ -1,124 +0,0 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 2
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 2.1
text: "DISA Category Code I"
checks:
- id: V-242390
text: "The Kubernetes API server must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242400
text: "The Kubernetes API server must have Alpha APIs disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "AllAlpha=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with AllAlpha set to "true".
Set the flag to "false" or remove the "AllAlpha" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242381
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: V-242402
text: "The Kubernetes API Server must have an audit log path set (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242403
text: "Kubernetes API Server must generate audit records (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242461
text: "Kubernetes API Server audit logs must be enabled. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242462
text: "The Kubernetes API Server must be set to audit log max size. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242463
text: "The Kubernetes API Server must be set to audit log maximum backup. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242464
text: "The Kubernetes API Server audit log retention must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: V-242465
text: "The Kubernetes API Server audit log path must be set. (Manual)"
type: "manual"
remediation: |
Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
scored: false
- id: 2.2
text: "DISA Category Code II"
checks:
- id: V-242443
text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
type: "manual"
remediation: |
Upgrade Kubernetes to a supported version.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html

268
cfg/eks-stig-kubernetes-v1r6/managedservices.yaml
View File

@@ -1,268 +0,0 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 5
text: "Managed Services"
type: "managedservices"
groups:
- id: 5.1
text: "DISA Category Code I"
checks:
- id: V-242386
text: "The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane"
type: "skip"
- id: V-242388
text: "The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane"
type: "skip"
- id: V-242436
text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)"
type: "manual"
remediation: |
Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
scored: false
- id: V-245542
text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane"
type: "skip"
- id: 5.2
text: "DISA Category Code II"
checks:
- id: V-242376
text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242377
text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242378
text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane"
type: "skip"
- id: V-242379
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
type: "skip"
- id: V-242380
text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane"
type: "skip"
- id: V-242382
text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane"
type: "skip"
- id: V-242384
text: "The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane"
type: "skip"
- id: V-242385
text: "The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane"
type: "skip"
- id: V-242389
text: "The Kubernetes API server must have the secure port set | Component of EKS Control Plane"
type: "skip"
- id: V-242401
text: "The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane"
type: "skip"
- id: V-242402
text: "The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane"
type: "skip"
- id: V-242403
text: "Kubernetes API Server must generate audit records | Component of EKS Control Plane"
type: "skip"
- id: V-242405
text: "The Kubernetes manifests must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242408
text: "The Kubernetes manifests must have least privileges | Component of EKS Control Plane"
type: "skip"
- id: V-242409
text: "Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane"
type: "skip"
- id: V-242410
text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242411
text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242412
text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242413
text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane"
type: "skip"
- id: V-242418
text: "The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane"
type: "skip"
- id: V-242419
text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242420
text: "Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242421
text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242422
text: "Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242423
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242424
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242425
text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242426
text: "Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane"
type: "skip"
- id: V-242427
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242428
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242429
text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane"
type: "skip"
- id: V-242430
text: "Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane"
type: "skip"
- id: V-242431
text: "Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242432
text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242433
text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane"
type: "skip"
- id: V-242438
text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane"
type: "skip"
- id: V-242444
text: "The Kubernetes component manifests must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242445
text: "The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane"
type: "skip"
- id: V-242446
text: "The Kubernetes conf files must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242447
text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242448
text: "The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242449
text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242450
text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242451
text: "The Kubernetes component PKI must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242452
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242453
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242454
text: "The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242455
text: "The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242456
text: "The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242457
text: "The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane"
type: "skip"
- id: V-242458
text: "The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242459
text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242460
text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242466
text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242467
text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane"
type: "skip"
- id: V-242468
text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane"
type: "skip"
- id: V-245541
text: "Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane"
type: "skip"
- id: V-245543
text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane"
type: "skip"
- id: V-245544
text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane"
type: "skip"

6
cfg/eks-stig-kubernetes-v1r6/master.yaml
View File

@@ -1,6 +0,0 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 1
text: "Control Plane Components"
type: "master"

287
cfg/eks-stig-kubernetes-v1r6/node.yaml
View File

@@ -1,287 +0,0 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 3
text: "Worker Node Security Configuration"
type: "node"
groups:
- id: 3.1
text: "DISA Category Code I"
checks:
- id: V-242387 # CIS 3.2.4
text: "The Kubernetes Kubelet must have the read-only port flag disabled (Manual)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--read-only-port"
path: '{.readOnlyPort}'
set: true
compare:
op: eq
value: 0
remediation: |
If using a Kubelet config file, edit $kubeletconf to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
- id: V-242391 # CIS 3.2.1
text: "The Kubernetes Kubelet must have anonymous authentication disabled (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: "--anonymous-auth"
path: '{.authentication.anonymous.enabled}'
set: true
compare:
op: eq
value: false
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242392 # CIS 3.2.2
text: "The Kubernetes kubelet must enable explicit authorization (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242397
text: "The Kubernetes kubelet static PodPath must not enable static pods (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- path: '{.staticPodPath}'
set: false
remediation: |
Edit $kubeletconf on each node to to remove the staticPodPath
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242415
text: "Secrets in Kubernetes must not be stored as environment variables.(Manual)"
type: "manual"
remediation: |
Run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
If any of the values returned reference environment variables
rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
scored: false
- id: V-242434 # CIS 3.2.6
text: "Kubernetes Kubelet must enable kernel protection (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --protect-kernel-defaults
path: '{.protectKernelDefaults}'
set: true
compare:
op: eq
value: true
remediation: |
If using a Kubelet config file, edit $kubeletconf to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242435
text: "Kubernetes must prevent non-privileged users from executing privileged functions (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
test_items:
- flag: --authorization-mode
path: '{.authorization.mode}'
set: true
compare:
op: nothave
value: AlwaysAllow
remediation: |
If using a Kubelet config file, edit $kubeletconf to set authorization: mode to Webhook. If
using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242393
text: "Kubernetes Worker Nodes must not have sshd service running. (Automated)"
audit: '/bin/sh -c ''systemctl show -p ActiveState sshd'' '
tests:
test_items:
- flag: ActiveState
compare:
op: eq
value: inactive
remediation: |
To stop the sshd service, run the command: systemctl stop sshd
scored: true
- id: V-242394
text: "Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)"
audit: "/bin/sh -c 'systemctl is-enabled sshd.service'"
tests:
test_items:
- flag: "disabled"
remediation: |
To disable the sshd service, run the command:
chkconfig sshd off
scored: true
- id: V-242395
text: "Kubernetes dashboard must not be enabled. (Manual)"
type: "manual"
remediation: |
Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
If any resources are returned, this is a finding.
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
scored: false
- id: V-242398
text: "Kubernetes DynamicAuditing must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicAuditing=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or kubelet config files that contain the feature-gates
setting with DynamicAuditing set to "true".
Set the flag to "false" or remove the "DynamicAuditing" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242399
text: "Kubernetes DynamicKubeletConfig must not be enabled. (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
bin_op: or
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "DynamicKubeletConfig=true"
set: true
- flag: "--feature-gates"
set: false
remediation: |
Edit any manifest files or $kubeletconf that contain the feature-gates
setting with DynamicKubeletConfig set to "true".
Set the flag to "false" or remove the "DynamicKubeletConfig" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
scored: true
- id: V-242404 # CIS 3.2.8
text: "Kubernetes Kubelet must deny hostname override (Automated)"
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
- flag: --hostname-override
set: false
remediation: |
Edit the kubelet service file $kubeletbin
on each worker node and remove the --hostname-override argument from the
KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: true
- id: V-242406
text: "The Kubernetes kubelet configuration file must be owned by root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
tests:
test_items:
- flag: root:root
remediation: |
Run the below command (based on the file location on your system) on the each worker node.
For example,
chown root:root $kubeletkubeconfig
scored: true
- id: V-242407
text: "The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
remediation: |
Run the following command (using the config file location identified in the Audit step)
chmod 644 $kubeletconf
scored: true
- id: V-242414
text: "The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)"
type: "manual"
remediation: |
For any of the pods that are using ports below 1024,
reconfigure the pod to use a service to map a host non-privileged
port to the pod port or reconfigure the image to use non-privileged ports.
scored: false
- id: V-242442
text: "Kubernetes must remove old components after updated versions have been installed. (Manual)"
type: "manual"
remediation: |
To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
scored: false
- id: V-242396
text: "Kubernetes Kubectl cp command must give expected access and results. (Manual)"
type: "manual"
remediation: |
If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl.
scored: false

33
cfg/eks-stig-kubernetes-v1r6/policies.yaml
View File

@@ -1,33 +0,0 @@
---
controls:
version: "eks-stig-kubernetes-v1r6"
id: 4
text: "Policies"
type: "policies"
groups:
- id: 4.1
text: "Policies - DISA Category Code I"
checks:
- id: V-242381
text: "The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)"
type: "manual"
remediation: |
Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
scored: false
- id: V-242383
text: "User-managed resources must be created in dedicated namespaces. (Manual)"
type: "manual"
remediation: |
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
scored: false
- id: V-242417
text: "Kubernetes must separate user functionality. (Manual)"
type: "manual"
remediation: |
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
scored: false

8
cfg/rh-1.0/controlplane.yaml
View File

@@ -40,9 +40,9 @@ groups:
#To view openshift apiserver log files
oc adm node-logs --role=master --path=openshift-apiserver/
#To verify kube apiserver audit config
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
#To verify openshift apiserver audit config
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
type: manual
remediation: |
No remediation required.
@@ -52,9 +52,9 @@ groups:
text: "Ensure that the audit policy covers key security concerns (Manual)"
audit: |
#To verify openshift apiserver audit config
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
#To verify kube apiserver audit config
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
type: manual
remediation: |
In OpenShift 4.6 and higher, if appropriate for your needs,

4
cfg/rh-1.0/etcd.yaml
View File

@@ -57,7 +57,7 @@ groups:
# Returns 0 if found, 1 if not found
for i in $(oc get pods -oname -n openshift-etcd)
do
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$?
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
done 2>/dev/null
use_multiple_values: true
tests:
@@ -118,7 +118,7 @@ groups:
# Returns 0 if found, 1 if not found
for i in $(oc get pods -oname -n openshift-etcd)
do
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$?
oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
done 2>/dev/null
use_multiple_values: true
tests:

12
cfg/rh-1.0/master.yaml
View File

@@ -129,7 +129,7 @@ groups:
scored: false
- id: 1.1.8
text: "Ensure that the etcd pod specification file ownership is set to root:root (Manual)"
text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
audit: |
for i in $( oc get pods -n openshift-etcd -l app=etcd -o name | grep etcd )
do
@@ -141,7 +141,7 @@ groups:
- flag: "root:root"
remediation: |
No remediation required; file permissions are managed by the operator.
scored: false
scored: true
- id: 1.1.9
text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
@@ -316,7 +316,7 @@ groups:
scored: false
- id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Manual)"
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
audit: |
# Should return root:root for all files and directories
for i in $(oc -n openshift-kube-apiserver get pod -l app=openshift-kube-apiserver -o jsonpath='{.items[*].metadata.name}')
@@ -334,7 +334,7 @@ groups:
- flag: "root:root"
remediation: |
No remediation required; file permissions are managed by the operator.
scored: false
scored: true
- id: 1.1.20
text: "Ensure that the OpenShift PKI certificate file permissions are set to 644 or more restrictive (Manual)"
@@ -381,9 +381,9 @@ groups:
text: "Ensure that anonymous requests are authorized (Manual)"
audit: |
# To verify that userGroups include system:unauthenticated
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
# To verify that userGroups include system:unauthenticated
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?.userGroups'
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[].userGroups'
# To verify RBAC is enabled
oc get clusterrolebinding
oc get clusterrole

12
cfg/rh-1.0/node.yaml
View File

@@ -186,7 +186,7 @@ groups:
audit: |
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
do
oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous /etc/kubernetes/kubelet.conf
oc debug node/${node} -- chroot /host grep -B4 -A1 anonymous: /etc/kubernetes/kubelet.conf
done
use_multiple_values: true
tests:
@@ -199,7 +199,7 @@ groups:
scored: true
- id: 4.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
type: manual
# Takes a lot of time for connection to fail and
audit: |
@@ -215,14 +215,14 @@ groups:
- flag: "Connection timed out"
remediation: |
None required. Unauthenticated/Unauthorized users have no access to OpenShift nodes.
scored: false
scored: true
- id: 4.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: |
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
do
oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf
oc debug node/${node} -- chroot /host grep clientCAFile: /etc/kubernetes/kubelet.conf
done 2> /dev/null
use_multiple_values: true
tests:
@@ -346,7 +346,7 @@ groups:
scored: false
- id: 4.2.9
text: "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture (Manual)"
text: "Ensure that the kubeAPIQPS [--event-qps] argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: |
for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}');
do
@@ -359,7 +359,7 @@ groups:
Follow the documentation to edit kubelet parameters
https://docs.openshift.com/container-platform/4.5/scalability_and_performance/recommended-host-practices.html#create-a-kubeletconfig-crd-to-edit-kubelet-parameters
KubeAPIQPS: <QPS>
scored: false
scored: true
- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"

14
check/check.go
View File

@@ -208,16 +208,6 @@ func (c *Check) runAuditCommands() (lastCommand string, err error) {
}
c.AuditConfigOutput, err = runAudit(c.AuditConfig)
// when file not found then error comes as exit status 127
// in some env same error comes as exit status 1
if err != nil && (strings.Contains(err.Error(), "exit status 127") ||
strings.Contains(err.Error(), "No such file or directory")) &&
(c.AuditEnvOutput != "" || c.AuditOutput != "") {
// suppress file not found error when there is Audit OR auditEnv output present
glog.V(3).Info(err)
err = nil
c.AuditConfigOutput = ""
}
return c.AuditConfig, err
}
@@ -237,8 +227,8 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
t.auditUsed = AuditCommand
result := *(t.execute(c.AuditOutput))
// Check for AuditConfigOutput only if AuditConfig is set and auditConfigOutput is not empty
if !result.flagFound && c.AuditConfig != "" && c.AuditConfigOutput != "" {
// Check for AuditConfigOutput only if AuditConfig is set
if !result.flagFound && c.AuditConfig != "" {
// t.isConfigSetting = true
t.auditUsed = AuditConfig
result = *(t.execute(c.AuditConfigOutput))

25
check/check_test.go
View File

@@ -69,31 +69,6 @@ func TestCheck_Run(t *testing.T) {
},
Expected: PASS,
},
{
name: "Scored checks that pass should PASS when config file is not present",
check: Check{
Scored: true,
Audit: "echo hello",
AuditConfig: "/test/config.yaml",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: PASS,
},
{
name: "Scored checks that pass should FAIL when config file is not present",
check: Check{
Scored: true,
AuditConfig: "/test/config.yaml",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: FAIL,
},
}
for _, testCase := range testCases {

53
check/controls.go
View File

@@ -21,8 +21,8 @@ import (
"fmt"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/golang/glog"
"github.com/onsi/ginkgo/reporters"
"github.com/spf13/viper"
@@ -206,13 +206,13 @@ func (controls *Controls) JUnit() ([]byte, error) {
}
// ASFF encodes the results of last run to AWS Security Finding Format(ASFF).
func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
fs := []types.AwsSecurityFinding{}
account, err := getConfig("AWS_ACCOUNT")
func (controls *Controls) ASFF() ([]*securityhub.AwsSecurityFinding, error) {
fs := []*securityhub.AwsSecurityFinding{}
a, err := getConfig("AWS_ACCOUNT")
if err != nil {
return nil, err
}
cluster, err := getConfig("CLUSTER_ARN")
c, err := getConfig("CLUSTER_ARN")
if err != nil {
return nil, err
}
@@ -220,7 +220,6 @@ func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
if err != nil {
return nil, err
}
nodeName, _ := getConfig("NODE_NAME")
arn := fmt.Sprintf(ARN, region)
ti := time.Now()
@@ -245,46 +244,42 @@ func (controls *Controls) ASFF() ([]types.AwsSecurityFinding, error) {
if len(check.Reason) > 1024 {
reason = check.Reason[0:1023]
}
id := aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s", arn, account, check.ID, cluster))
if nodeName != "" {
id = aws.String(fmt.Sprintf("%s%sEKSnodeID+%s+%s+%s", arn, account, check.ID, cluster, nodeName))
}
f := types.AwsSecurityFinding{
AwsAccountId: aws.String(account),
Confidence: *aws.Int32(100),
f := securityhub.AwsSecurityFinding{
AwsAccountId: aws.String(a),
Confidence: aws.Int64(100),
GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", arn, controls.Version, check.ID)),
Id: id,
Id: aws.String(fmt.Sprintf("%s%sEKSnodeID+%s", arn, a, check.ID)),
CreatedAt: aws.String(tf),
Description: aws.String(check.Text),
ProductArn: aws.String(arn),
SchemaVersion: aws.String(SCHEMA),
Title: aws.String(fmt.Sprintf("%s %s", check.ID, check.Text)),
UpdatedAt: aws.String(tf),
Types: []string{*aws.String(TYPE)},
Severity: &types.Severity{
Label: types.SeverityLabelHigh,
Types: []*string{aws.String(TYPE)},
Severity: &securityhub.Severity{
Label: aws.String(securityhub.SeverityLabelHigh),
},
Remediation: &types.Remediation{
Recommendation: &types.Recommendation{
Remediation: &securityhub.Remediation{
Recommendation: &securityhub.Recommendation{
Text: aws.String(remediation),
},
},
ProductFields: map[string]string{
"Reason": reason,
"Actual result": actualValue,
"Expected result": check.ExpectedResult,
"Section": fmt.Sprintf("%s %s", controls.ID, controls.Text),
"Subsection": fmt.Sprintf("%s %s", g.ID, g.Text),
ProductFields: map[string]*string{
"Reason": aws.String(reason),
"Actual result": aws.String(actualValue),
"Expected result": aws.String(check.ExpectedResult),
"Section": aws.String(fmt.Sprintf("%s %s", controls.ID, controls.Text)),
"Subsection": aws.String(fmt.Sprintf("%s %s", g.ID, g.Text)),
},
Resources: []types.Resource{
Resources: []*securityhub.Resource{
{
Id: aws.String(cluster),
Id: aws.String(c),
Type: aws.String(TYPE),
},
},
}
fs = append(fs, f)
fs = append(fs, &f)
}
}
}

34
check/controls_test.go
View File

@@ -25,8 +25,8 @@ import (
"reflect"
"testing"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/onsi/ginkgo/reporters"
"github.com/spf13/viper"
"github.com/stretchr/testify/assert"
@@ -374,7 +374,7 @@ func TestControls_ASFF(t *testing.T) {
tests := []struct {
name string
fields fields
want []types.AwsSecurityFinding
want []*securityhub.AwsSecurityFinding
wantErr bool
}{
{
@@ -405,32 +405,32 @@ func TestControls_ASFF(t *testing.T) {
},
},
}},
want: []types.AwsSecurityFinding{
want: []*securityhub.AwsSecurityFinding{
{
AwsAccountId: aws.String("foo account"),
Confidence: *aws.Int32(100),
Confidence: aws.Int64(100),
GeneratorId: aws.String(fmt.Sprintf("%s/cis-kubernetes-benchmark/%s/%s", fmt.Sprintf(ARN, "somewhere"), "1", "check1id")),
Description: aws.String("check1text"),
ProductArn: aws.String(fmt.Sprintf(ARN, "somewhere")),
SchemaVersion: aws.String(SCHEMA),
Title: aws.String(fmt.Sprintf("%s %s", "check1id", "check1text")),
Types: []string{*aws.String(TYPE)},
Severity: &types.Severity{
Label: types.SeverityLabelHigh,
Types: []*string{aws.String(TYPE)},
Severity: &securityhub.Severity{
Label: aws.String(securityhub.SeverityLabelHigh),
},
Remediation: &types.Remediation{
Recommendation: &types.Recommendation{
Remediation: &securityhub.Remediation{
Recommendation: &securityhub.Recommendation{
Text: aws.String("fix me"),
},
},
ProductFields: map[string]string{
"Reason": "failed",
"Actual result": "failed",
"Expected result": "failed",
"Section": fmt.Sprintf("%s %s", "test1", "test runnner"),
"Subsection": fmt.Sprintf("%s %s", "g1", "Group text"),
ProductFields: map[string]*string{
"Reason": aws.String("failed"),
"Actual result": aws.String("failed"),
"Expected result": aws.String("failed"),
"Section": aws.String(fmt.Sprintf("%s %s", "test1", "test runnner")),
"Subsection": aws.String(fmt.Sprintf("%s %s", "g1", "Group text")),
},
Resources: []types.Resource{
Resources: []*securityhub.Resource{
{
Id: aws.String("foo Cluster"),
Type: aws.String(TYPE),

8
check/test.go
View File

@@ -24,7 +24,7 @@ import (
"strings"
"github.com/golang/glog"
"gopkg.in/yaml.v2"
yaml "gopkg.in/yaml.v2"
"k8s.io/client-go/util/jsonpath"
)
@@ -243,11 +243,11 @@ func (t testItem) evaluate(s string) *testOutput {
isExist = "does not exist"
}
switch t.auditUsed {
case AuditCommand:
case "auditCommand":
glog.V(3).Infof("Flag '%s' %s", t.Flag, isExist)
case AuditConfig:
case "auditConfig":
glog.V(3).Infof("Path '%s' %s", t.Path, isExist)
case AuditEnv:
case "auditEnv":
glog.V(3).Infof("Env '%s' %s", t.Env, isExist)
default:
glog.V(3).Infof("Error with identify audit used %s", t.auditUsed)

4
cmd/common.go
View File

@@ -96,7 +96,6 @@ func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
svcmap := getFiles(typeConf, "service")
kubeconfmap := getFiles(typeConf, "kubeconfig")
cafilemap := getFiles(typeConf, "ca")
datadirmap := getFiles(typeConf, "datadir")
// Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in)
@@ -105,7 +104,6 @@ func runChecks(nodetype check.NodeType, testYamlFile, detectedVersion string) {
s, _ = makeSubstitutions(s, "svc", svcmap)
s, _ = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s, _ = makeSubstitutions(s, "cafile", cafilemap)
s, _ = makeSubstitutions(s, "datadir", datadirmap)
controls, err := check.NewControls(nodetype, []byte(s), detectedVersion)
if err != nil {
@@ -135,7 +133,7 @@ func generateDefaultEnvAudit(controls *check.Controls, binSubs []string) {
if len(binSubs) == 1 {
binPath = binSubs[0]
} else {
glog.V(1).Infof("AuditEnv not explicit for check (%s), where bin path cannot be determined", checkItem.ID)
fmt.Printf("AuditEnv not explicit for check (%s), where bin path cannot be determined\n", checkItem.ID)
}
if test.Env != "" && checkItem.AuditEnv == "" {

7
cmd/common_test.go
View File

@@ -239,7 +239,6 @@ func TestMapToCISVersion(t *testing.T) {
{kubeVersion: "1.21", succeed: true, exp: "cis-1.20"},
{kubeVersion: "1.22", succeed: true, exp: "cis-1.23"},
{kubeVersion: "1.23", succeed: true, exp: "cis-1.23"},
{kubeVersion: "1.24", succeed: true, exp: "cis-1.24"},
{kubeVersion: "gke-1.2.0", succeed: true, exp: "gke-1.2.0"},
{kubeVersion: "ocp-3.10", succeed: true, exp: "rh-0.7"},
{kubeVersion: "ocp-3.11", succeed: true, exp: "rh-0.7"},
@@ -443,12 +442,6 @@ func TestValidTargets(t *testing.T) {
targets: []string{"node", "policies", "controlplane", "managedservices"},
expected: true,
},
{
name: "eks-1.1.0 valid",
benchmark: "eks-1.1.0",
targets: []string{"node", "policies", "controlplane", "managedservices"},
expected: true,
},
}
for _, c := range cases {

10
cmd/kubernetes_version_test.go
View File

@@ -264,8 +264,14 @@ func TestGetKubernetesURL(t *testing.T) {
}
k8sURL := getKubernetesURL()
if k8sURL != c.expected {
t.Errorf("Expected %q but Got %q", k8sURL, c.expected)
if !c.useDefault {
if k8sURL != c.expected {
t.Errorf("Expected %q but Got %q", k8sURL, c.expected)
}
} else {
if k8sURL != c.expected {
t.Errorf("Expected %q but Got %q", k8sURL, c.expected)
}
}
})
}

19
cmd/securityHub.go
View File

@@ -1,32 +1,33 @@
package cmd
import (
"context"
"fmt"
"log"
"github.com/aquasecurity/kube-bench/internal/findings"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/securityhub"
"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/spf13/viper"
)
// REGION ...
const REGION = "AWS_REGION"
func writeFinding(in []types.AwsSecurityFinding) error {
func writeFinding(in []*securityhub.AwsSecurityFinding) error {
r := viper.GetString(REGION)
if len(r) == 0 {
return fmt.Errorf("%s not set", REGION)
}
cfg, err := config.LoadDefaultConfig(context.Background(), config.WithRegion(r))
sess, err := session.NewSession(&aws.Config{
Region: aws.String(r),
},
)
if err != nil {
return err
}
svc := securityhub.NewFromConfig(cfg)
p := findings.New(*svc)
svc := securityhub.New(sess)
p := findings.New(svc)
out, perr := p.PublishFinding(in)
print(out)
return perr

7
cmd/util.go
View File

@@ -33,7 +33,6 @@ var (
"kubeconfig": {"kubeconfig", "defaultkubeconfig"},
"service": {"svc", "defaultsvc"},
"config": {"confs", "defaultconf"},
"datadir": {"datadirs", "defaultdatadir"},
}
)
@@ -127,7 +126,7 @@ func getConfigFilePath(benchmarkVersion string, filename string) (path string, e
glog.V(2).Info(fmt.Sprintf("Looking for config specific CIS version %q", benchmarkVersion))
path = filepath.Join(cfgDir, benchmarkVersion)
file := filepath.Join(path, filename)
file := filepath.Join(path, string(filename))
glog.V(2).Info(fmt.Sprintf("Looking for file: %s", file))
if _, err := os.Stat(file); err != nil {
@@ -241,7 +240,7 @@ func findConfigFile(candidates []string) string {
if err == nil {
return c
}
if !os.IsNotExist(err) && !strings.HasSuffix(err.Error(), "not a directory") {
if !os.IsNotExist(err) {
exitWithError(fmt.Errorf("error looking for file %s: %v", c, err))
}
}
@@ -462,7 +461,7 @@ func getPlatformBenchmarkVersion(platform Platform) string {
glog.V(3).Infof("getPlatformBenchmarkVersion platform: %s", platform)
switch platform.Name {
case "eks":
return "eks-1.1.0"
return "eks-1.0.1"
case "gke":
switch platform.Version {
case "1.15", "1.16", "1.17", "1.18", "1.19":

56
cmd/util_test.go
View File

@@ -15,7 +15,6 @@
package cmd
import (
"errors"
"io/ioutil"
"os"
"path/filepath"
@@ -234,7 +233,6 @@ func TestFindConfigFile(t *testing.T) {
{input: []string{"myfile"}, statResults: []error{nil}, exp: "myfile"},
{input: []string{"thisfile", "thatfile"}, statResults: []error{os.ErrNotExist, nil}, exp: "thatfile"},
{input: []string{"thisfile", "thatfile"}, statResults: []error{os.ErrNotExist, os.ErrNotExist}, exp: ""},
{input: []string{"thisfile", "/etc/dummy/thatfile"}, statResults: []error{os.ErrNotExist, errors.New("stat /etc/dummy/thatfile: not a directory")}, exp: ""},
}
statFunc = fakestat
@@ -397,58 +395,6 @@ func TestGetServiceFiles(t *testing.T) {
}
}
func TestGetDatadirFiles(t *testing.T) {
var err error
datadir, err := ioutil.TempDir("", "kube-bench-test-etcd-data-dir")
if err != nil {
t.Fatalf("Failed to create temp directory")
}
defer os.RemoveAll(datadir)
cases := []struct {
config map[string]interface{}
exp map[string]string
statResults []error
}{
{
config: map[string]interface{}{
"components": []string{"etcd"},
"etcd": map[string]interface{}{"datadirs": []string{datadir},
"defaultdatadir": "/var/lib/etcd/default.etcd"},
},
statResults: []error{nil},
exp: map[string]string{"etcd": datadir},
},
// fallback to defaultdatadir
{
config: map[string]interface{}{
"components": []string{"etcd"},
"etcd": map[string]interface{}{"datadirs": []string{"/path/to/etcd/data.etcd"},
"defaultdatadir": "/var/lib/etcd/default.etcd"},
},
statResults: []error{os.ErrNotExist},
exp: map[string]string{"etcd": "/var/lib/etcd/default.etcd"},
},
}
v := viper.New()
statFunc = fakestat
for id, c := range cases {
t.Run(strconv.Itoa(id), func(t *testing.T) {
for k, val := range c.config {
v.Set(k, val)
}
e = c.statResults
eIndex = 0
m := getFiles(v, "datadir")
if !reflect.DeepEqual(m, c.exp) {
t.Fatalf("Got %v\nExpected %v", m, c.exp)
}
})
}
}
func TestMakeSubsitutions(t *testing.T) {
cases := []struct {
input string
@@ -636,7 +582,7 @@ func Test_getPlatformBenchmarkVersion(t *testing.T) {
args: args{
platform: Platform{Name: "eks"},
},
want: "eks-1.1.0",
want: "eks-1.0.1",
},
{
name: "gke 1.19",

9
docs/architecture.md
View File

@@ -19,21 +19,12 @@ The following table shows the valid targets based on the CIS Benchmark version.
| cis-1.6 | master, controlplane, node, etcd, policies |
| cis-1.20 | master, controlplane, node, etcd, policies |
| cis-1.23 | master, controlplane, node, etcd, policies |
| cis-1.24 | master, controlplane, node, etcd, policies |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | controlplane, node, policies, managedservices |
| eks-1.0.1 | controlplane, node, policies, managedservices |
| eks-1.1.0 | controlplane, node, policies, managedservices |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| aks-1.0 | controlplane, node, policies, managedservices |
| rh-0.7 | master,node|
| rh-1.0 | master, controlplane, node, etcd, policies |
| cis-1.6-k3s | master, controlplane, node, etcd, policies |
The following table shows the valid DISA STIG versions
| STIG | Targets |
|----------------------------|---------|
| eks-stig-kubernetes-v1r6 | master, controlplane, node, policies, managedservices |

4
docs/flags-and-commands.md
View File

@@ -29,7 +29,6 @@ Flag | Description
--skip string | List of comma separated values of checks to be skipped
--stderrthreshold severity | logs at or above this threshold go to stderr (default 2)
-v, --v Level | log level for V logs (default 0)
--unscored | Run the unscored CIS checks (default true)
--version string | Manually specify Kubernetes version, automatically detected if unset
--vmodule moduleSpec | comma-separated list of pattern=N settings for file-filtered logging
@@ -113,8 +112,7 @@ There are four output states:
- [INFO] is informational output that needs no further action.
Note:
- Some tests with `Automated` in their description must still be run manually
- If the user has to run a test manually, this always generates WARN
- If the test is Manual, this always generates WARN (because the user has to run it manually)
- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure).
- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN.
- If the test is Scored, type is empty, and there are no `test_items` present, it generates a WARN. This is to highlight tests that appear to be incompletely defined.

2
docs/installation.md
View File

@@ -84,7 +84,7 @@ go build -o kube-bench .
This command copies the kube-bench binary and configuration files to your host from the Docker container:
**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)**
```
docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
```
You can then run `./kube-bench`.

9
docs/platforms.md
View File

@@ -2,10 +2,7 @@
## CIS Kubernetes Benchmark support
kube-bench supports running tests for Kubernetes.
Most of our supported benchmarks are defined in one of the following:
[CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/)
[STIG Document Library](https://public.cyber.mil/stigs/downloads)
Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
Some defined by other hardenening guides.
| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions |
@@ -14,14 +11,10 @@ Some defined by other hardenening guides.
| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16-1.18 |
| CIS | [1.20](https://workbench.cisecurity.org/benchmarks/6246) | cis-1.20 | 1.19-1.21 |
| CIS | [1.23](https://workbench.cisecurity.org/benchmarks/7532) | cis-1.23 | 1.22-1.23 |
| CIS | [1.24](https://workbench.cisecurity.org/benchmarks/10873) | cis-1.24 | 1.24 |
| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
| CIS | [GKE 1.2.0](https://workbench.cisecurity.org/benchmarks/7534) | gke-1.2.0 | GKE |
| CIS | [EKS 1.0.1](https://workbench.cisecurity.org/benchmarks/6041) | eks-1.0.1 | EKS |
| CIS | [EKS 1.1.0](https://workbench.cisecurity.org/benchmarks/6248) | eks-1.1.0 | EKS |
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- |
| CIS | [1.6.0-k3s](https://docs.rancher.cn/docs/k3s/security/self-assessment/_index) | cis-1.6-k3s | k3s v1.16-v1.24 |
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |

65
docs/running.md
View File

@@ -15,26 +15,26 @@ It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS,
You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions.
```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t docker.io/aquasec/kube-bench:latest --version 1.18
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18
```
> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example:
```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t docker.io/aquasec/kube-bench:latest
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest
```
You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/`
```
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config docker.io/aquasec/kube-bench:latest
docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest
```
### Running in a Kubernetes cluster
You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored.
The `job.yaml` file (available in the root directory of the repository) can be applied to run the tests as a Kubernetes `Job`. For example:
The supplied `job.yaml` file can be applied to run the tests as a job. For example:
```bash
$ kubectl apply -f job.yaml
@@ -72,12 +72,12 @@ could open nsg 22 port and assign a public ip for one agent node (only for testi
1. Run CIS benchmark to view results:
```
docker run --rm -v `pwd`:/host docker.io/aquasec/kube-bench:latest install
docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install
./kube-bench
```
kube-bench cannot be run on AKS master nodes
### Running CIS benchmark in an EKS cluster
### Running in an EKS cluster
There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
@@ -103,57 +103,24 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
### Running DISA STIG in an EKS cluster
There is a `job-eks-stig.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed
1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide*
- Information on configuring `eksctl`, `kubectl` and the AWS CLI is within
2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image
```
aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE
```
3. Download, build and push the kube-bench container image to your ECR repo
```
git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
docker build -t k8s/kube-bench .
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
```
4. Copy the URI of your pushed image, the URI format is like this: `<AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest`
5. Replace the `image` value in `job-eks-stig.yaml` with the URI from Step 4
6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks-stig.yaml`
7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces`
8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-<value>`
- You can save the report for later reference: `kubectl logs kube-bench-<value> > kube-bench-report.txt`
### Running on OpenShift
| OpenShift Hardening Guide | kube-bench config |
| ------------------------- | ----------------- |
| ocp-3.10 + | rh-0.7 |
| ocp-4.1 + | rh-1.0 |
|---|---|
| ocp-3.10 +| rh-0.7 |
| ocp-4.1 +| rh-1.0 |
kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`
`kube-bench` supports auto-detection, when you run the `kube-bench` command it will autodetect if running in openshift environment.
Since running `kube-bench` requires elevated privileges, the `privileged` SecurityContextConstraint needs to be applied to the ServiceAccount used for the `Job`:
```
oc create namespace kube-bench
oc adm policy add-scc-to-user privileged --serviceaccount default
oc apply -f job.yaml
```
### Running in a GKE cluster
| CIS Benchmark | Targets |
| ------------- | ----------------------------------------------------------- |
| gke-1.0 | master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0 | master, controlplane, node, policies, managedservices |
| CIS Benchmark | Targets |
|---|---|
| gke-1.0| master, controlplane, node, etcd, policies, managedservices |
| gke-1.2.0| master, controlplane, node, policies, managedservices |
kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` or `--benchmark gke-1.2.0` when you run the `kube-bench` command.
@@ -165,9 +132,9 @@ kubectl apply -f job-gke.yaml
### Running in a ACK cluster
| CIS Benchmark | Targets |
| ------------- | ----------------------------------------------------------- |
| ack-1.0 | master, controlplane, node, etcd, policies, managedservices |
| CIS Benchmark | Targets |
|---|---|
| ack-1.0| master, controlplane, node, etcd, policies, managedservices |
kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK).
To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command.

63
go.mod
View File

@@ -1,60 +1,19 @@
module github.com/aquasecurity/kube-bench
go 1.19
go 1.16
require (
github.com/aws/aws-sdk-go-v2 v1.17.6
github.com/aws/aws-sdk-go-v2/config v1.18.4
github.com/aws/aws-sdk-go-v2/service/securityhub v1.29.1
github.com/fatih/color v1.14.1
github.com/golang/glog v1.0.0
github.com/magiconair/properties v1.8.7
github.com/aws/aws-sdk-go v1.43.41
github.com/fatih/color v1.13.0
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/magiconair/properties v1.8.6
github.com/onsi/ginkgo v1.16.5
github.com/pkg/errors v0.9.1
github.com/spf13/cobra v1.6.1
github.com/spf13/viper v1.14.0
github.com/stretchr/testify v1.8.1
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.11.0
github.com/stretchr/testify v1.7.1
gopkg.in/yaml.v2 v2.4.0
gorm.io/driver/postgres v1.4.6
gorm.io/gorm v1.25.1
k8s.io/client-go v0.26.0
)
require (
github.com/aws/aws-sdk-go-v2/credentials v1.13.4 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.20 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.27 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.11.26 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.9 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.0.1 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
github.com/jackc/pgx/v5 v5.2.0 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.17 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/spf13/afero v1.9.2 // indirect
github.com/spf13/cast v1.5.0 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/subosito/gotenv v1.4.1 // indirect
golang.org/x/crypto v0.4.0 // indirect
golang.org/x/sys v0.3.0 // indirect
golang.org/x/text v0.5.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
gorm.io/driver/postgres v1.3.4
gorm.io/gorm v1.23.4
k8s.io/client-go v0.23.5
)

673
go.sum
View File

File diff suppressed because it is too large Load Diff

56
hack/kind-stig.test.yaml
View File

@@ -1,56 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command: [
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
- name: kind-bin
mountPath: /kind/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

56
hack/kind-stig.yaml
View File

@@ -1,56 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
metadata:
labels:
app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:${VERSION}
command: [
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
- name: etc-systemd
mountPath: /etc/systemd
- name: etc-kubernetes
mountPath: /etc/kubernetes
# /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
# You can omit this mount if you specify --version as part of the command.
- name: usr-bin
mountPath: /usr/local/mount-from-host/bin
- name: kind-bin
mountPath: /kind/bin
restartPolicy: Never
volumes:
- name: var-lib-etcd
hostPath:
path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"
- name: usr-bin
hostPath:
path: "/usr/bin"
- name: kind-bin
hostPath:
path: "/kind/bin"

2
hack/kind.yaml
View File

@@ -12,7 +12,7 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:${VERSION}
image: aquasec/kube-bench:${VERSION}
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd

2
integration/testdata/Expected_output.data vendored
View File

@@ -240,7 +240,7 @@ minimum.
[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Automated)
[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
[WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

266
integration/testdata/Expected_output_stig.data vendored
View File

@@ -1,266 +0,0 @@
[INFO] 1 Control Plane Components
== Summary master ==
0 checks PASS
0 checks FAIL
0 checks WARN
0 checks INFO
[INFO] 2 Control Plane Configuration
[INFO] 2.1 DISA Category Code I
[FAIL] V-242390 The Kubernetes API server must have anonymous authentication disabled (Automated)
[FAIL] V-242400 The Kubernetes API server must have Alpha APIs disabled (Automated)
[INFO] 2.2 DISA Category Code II
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
[WARN] V-242402 The Kubernetes API Server must have an audit log path set (Manual)
[WARN] V-242403 Kubernetes API Server must generate audit records (Manual)
[WARN] V-242461 Kubernetes API Server audit logs must be enabled. (Manual)
[WARN] V-242462 The Kubernetes API Server must be set to audit log max size. (Manual)
[WARN] V-242463 The Kubernetes API Server must be set to audit log maximum backup. (Manual)
[WARN] V-242464 The Kubernetes API Server audit log retention must be set. (Manual)
[WARN] V-242465 The Kubernetes API Server audit log path must be set. (Manual)
[WARN] V-242443 Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)
== Remediations controlplane ==
V-242390 If using a Kubelet config file, edit $kubeletconf to set authentication: anonymous: enabled to
false.
If using executable arguments, edit the kubelet service file
$kubeletsvc on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242400 Edit any manifest files or $kubeletconf that contain the feature-gates
setting with AllAlpha set to "true".
Set the flag to "false" or remove the "AllAlpha" setting
completely. Restart the kubelet service if the kubelet config file
if the kubelet config file is changed.
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
V-242402 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242403 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242461 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242462 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242463 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242464 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242465 Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
V-242443 Upgrade Kubernetes to a supported version.
Ref: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html
== Summary controlplane ==
0 checks PASS
2 checks FAIL
9 checks WARN
0 checks INFO
[INFO] 3 Worker Node Security Configuration
[INFO] 3.1 DISA Category Code I
[WARN] V-242387 The Kubernetes Kubelet must have the read-only port flag disabled (Manual)
[PASS] V-242391 The Kubernetes Kubelet must have anonymous authentication disabled (Automated)
[PASS] V-242392 The Kubernetes kubelet must enable explicit authorization (Automated)
[FAIL] V-242397 The Kubernetes kubelet static PodPath must not enable static pods (Automated)
[WARN] V-242415 Secrets in Kubernetes must not be stored as environment variables.(Manual)
[FAIL] V-242434 Kubernetes Kubelet must enable kernel protection (Automated)
[PASS] V-242435 Kubernetes must prevent non-privileged users from executing privileged functions (Automated)
[FAIL] V-242393 Kubernetes Worker Nodes must not have sshd service running. (Automated)
[FAIL] V-242394 Kubernetes Worker Nodes must not have the sshd service enabled. (Automated)
[WARN] V-242395 Kubernetes dashboard must not be enabled. (Manual)
[PASS] V-242398 Kubernetes DynamicAuditing must not be enabled. (Automated)
[PASS] V-242399 Kubernetes DynamicKubeletConfig must not be enabled. (Automated)
[PASS] V-242404 Kubernetes Kubelet must deny hostname override (Automated)
[PASS] V-242406 The Kubernetes kubelet configuration file must be owned by root (Automated)
[PASS] V-242407 The Kubernetes kubelet configuration files must have file permissions set to 644 or more restrictive (Automated)
[WARN] V-242414 The Kubernetes cluster must use non-privileged host ports for user pods. (Manual)
[WARN] V-242442 Kubernetes must remove old components after updated versions have been installed. (Manual)
[WARN] V-242396 Kubernetes Kubectl cp command must give expected access and results. (Manual)
== Remediations node ==
V-242387 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242397 Edit /var/lib/kubelet/config.yaml on each node to to remove the staticPodPath
Based on your system, restart the kubelet service. For example,
systemctl daemon-reload
systemctl restart kubelet.service
V-242415 Run the following command:
kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A
If any of the values returned reference environment variables
rewrite application code to read secrets from mounted secret files, rather than
from environment variables.
V-242434 If using a Kubelet config file, edit /var/lib/kubelet/config.yaml to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
V-242393 To stop the sshd service, run the command: systemctl stop sshd
V-242394 To disable the sshd service, run the command:
chkconfig sshd off
V-242395 Run the command: kubectl get pods --all-namespaces -l k8s-app=kubernetes-dashboard
If any resources are returned, this is a finding.
Fix Text: Delete the Kubernetes dashboard deployment with the following command:
kubectl delete deployment kubernetes-dashboard --namespace=kube-system
V-242414 For any of the pods that are using ports below 1024,
reconfigure the pod to use a service to map a host non-privileged
port to the pod port or reconfigure the image to use non-privileged ports.
V-242442 To view all pods and the images used to create the pods, from the Master node, run the following command:
kubectl get pods --all-namespaces -o jsonpath="{..image}" | \
tr -s '[[:space:]]' '\n' | \
sort | \
uniq -c
Review the images used for pods running within Kubernetes.
Remove any old pods that are using older images.
V-242396 If any Worker nodes are not using kubectl version 1.12.9 or newer, this is a finding.
Upgrade the Master and Worker nodes to the latest version of kubectl.
== Summary node ==
8 checks PASS
4 checks FAIL
6 checks WARN
0 checks INFO
[INFO] 4 Policies
[INFO] 4.1 Policies - DISA Category Code I
[WARN] V-242381 The Kubernetes Controller Manager must create unique service accounts for each work payload. (Manual)
[WARN] V-242383 User-managed resources must be created in dedicated namespaces. (Manual)
[WARN] V-242417 Kubernetes must separate user functionality. (Manual)
== Remediations policies ==
V-242381 Create explicit service accounts wherever a Kubernetes workload requires specific access
to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
V-242383 Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
V-242417 Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
== Summary policies ==
0 checks PASS
0 checks FAIL
3 checks WARN
0 checks INFO
[INFO] 5 Managed Services
[INFO] 5.1 DISA Category Code I
[INFO] V-242386 The Kubernetes API server must have the insecure port flag disabled | Component of EKS Control Plane
[INFO] V-242388 The Kubernetes API server must have the insecure bind address not set | Component of EKS Control Plane
[WARN] V-242436 The Kubernetes API server must have the ValidatingAdmissionWebhook enabled (manual)
[INFO] V-245542 Kubernetes API Server must disable basic authentication to protect information in transit | Component of EKS Control Plane
[INFO] 5.2 DISA Category Code II
[INFO] V-242376 The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242377 The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242378 The Kubernetes API Server must use TLS 1.2, at a minimum | Component of EKS Control Plane
[INFO] V-242379 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
[INFO] V-242380 The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of EKS Control Plane
[INFO] V-242382 The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of EKS Control Plane
[INFO] V-242384 The Kubernetes Scheduler must have secure binding | Component of EKS Control Plane
[INFO] V-242385 The Kubernetes Controller Manager must have secure binding | Component of EKS Control Plane
[INFO] V-242389 The Kubernetes API server must have the secure port set | Component of EKS Control Plane
[INFO] V-242401 The Kubernetes API Server must have an audit policy set | Component of EKS Control Plane
[INFO] V-242402 The Kubernetes API Server must have an audit log path set | Component of EKS Control Plane
[INFO] V-242403 Kubernetes API Server must generate audit records | Component of EKS Control Plane
[INFO] V-242405 The Kubernetes manifests must be owned by root | Component of EKS Control Plane
[INFO] V-242408 The Kubernetes manifests must have least privileges | Component of EKS Control Plane
[INFO] V-242409 Kubernetes Controller Manager must disable profiling | Component of EKS Control Plane
[INFO] V-242410 The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242411 The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242412 The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242413 The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of EKS Control Plane
[INFO] V-242418 The Kubernetes API server must use approved cipher suites | Component of EKS Control Plane
[INFO] V-242419 Kubernetes API Server must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242420 Kubernetes Kubelet must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242421 Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242422 Kubernetes API Server must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242423 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242424 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242425 Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of EKS Control Plane
[INFO] V-242426 Kubernetes etcd must enable client authentication to secure service | Component of EKS Control Plane
[INFO] V-242427 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
[INFO] V-242428 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242429 Kubernetes etcd must have the SSL Certificate Authority set | Component of EKS Control Plane
[INFO] V-242430 Kubernetes etcd must have a certificate for communication | Component of EKS Control Plane
[INFO] V-242431 Kubernetes etcd must have a key file for secure communication | Component of EKS Control Plane
[INFO] V-242432 Kubernetes etcd must have peer-cert-file set for secure communication | Component of EKS Control Plane
[INFO] V-242433 Kubernetes etcd must have a peer-key-file set for secure communication | Component of EKS Control Plane
[INFO] V-242438 Kubernetes API Server must configure timeouts to limit attack surface | Component of EKS Control Plane
[INFO] V-242444 The Kubernetes component manifests must be owned by root | Component of EKS Control Plane
[INFO] V-242445 The Kubernetes component etcd must be owned by etcd | Component of EKS Control Plane
[INFO] V-242446 The Kubernetes conf files must be owned by root | Component of EKS Control Plane
[INFO] V-242447 The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242448 The Kubernetes Kube Proxy must be owned by root | Component of EKS Control Plane
[INFO] V-242449 The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242450 The Kubernetes Kubelet certificate authority must be owned by root | Component of EKS Control Plane
[INFO] V-242451 The Kubernetes component PKI must be owned by root | Component of EKS Control Plane
[INFO] V-242452 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242453 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
[INFO] V-242454 The Kubernetes kubeadm.conf must be owned by root | Component of EKS Control Plane
[INFO] V-242455 The Kubernetes kubeadm.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242456 The Kubernetes kubelet config must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242457 The Kubernetes kubelet config must be owned by root | Component of EKS Control Plane
[INFO] V-242458 The Kubernetes API Server must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242459 The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242460 The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242466 The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of EKS Control Plane
[INFO] V-242467 The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of EKS Control Plane
[INFO] V-242468 The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of EKS Control Plane
[INFO] V-245541 Kubernetes Kubelet must not disable timeouts | Component of EKS Control Plane
[INFO] V-245543 Kubernetes API Server must disable token authentication to protect information in transit | Component of EKS Control Plane
[INFO] V-245544 Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of EKS Control Plane
== Remediations managedservices ==
V-242436 Amazon EKS version 1.18 and later automatically enable ValidatingAdmissionWebhook
Ref: https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
== Summary managedservices ==
0 checks PASS
0 checks FAIL
1 checks WARN
62 checks INFO
== Summary total ==
8 checks PASS
6 checks FAIL
19 checks WARN
62 checks INFO

40
internal/findings/publisher.go
View File

@@ -1,16 +1,14 @@
package findings
import (
"context"
"github.com/aws/aws-sdk-go-v2/service/securityhub"
"github.com/aws/aws-sdk-go-v2/service/securityhub/types"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/aws/aws-sdk-go/service/securityhub/securityhubiface"
"github.com/pkg/errors"
)
// A Publisher represents an object that publishes finds to AWS Security Hub.
type Publisher struct {
client securityhub.Client // AWS Security Hub Service Client
client securityhubiface.SecurityHubAPI // AWS Security Hub Service Client
}
// A PublisherOutput represents an object that contains information about the service call.
@@ -18,26 +16,26 @@ type PublisherOutput struct {
// The number of findings that failed to import.
//
// FailedCount is a required field
FailedCount int32
FailedCount int64
// The list of findings that failed to import.
FailedFindings []types.ImportFindingsError
FailedFindings []*securityhub.ImportFindingsError
// The number of findings that were successfully imported.
//
// SuccessCount is a required field
SuccessCount int32
SuccessCount int64
}
// New creates a new Publisher.
func New(client securityhub.Client) *Publisher {
func New(client securityhubiface.SecurityHubAPI) *Publisher {
return &Publisher{
client: client,
}
}
// PublishFinding publishes findings to AWS Security Hub Service
func (p *Publisher) PublishFinding(finding []types.AwsSecurityFinding) (*PublisherOutput, error) {
func (p *Publisher) PublishFinding(finding []*securityhub.AwsSecurityFinding) (*PublisherOutput, error) {
o := PublisherOutput{}
i := securityhub.BatchImportFindingsInput{}
i.Findings = finding
@@ -47,20 +45,24 @@ func (p *Publisher) PublishFinding(finding []types.AwsSecurityFinding) (*Publish
batch := 100
for i := 0; i < len(finding); i += batch {
j := i + batch
if j > len(finding) {
j = len(finding)
}
i := securityhub.BatchImportFindingsInput{}
i.Findings = finding
r, err := p.client.BatchImportFindings(context.Background(), &i) // Process the batch.
r, err := p.client.BatchImportFindings(&i) // Process the batch.
if err != nil {
errs = errors.Wrap(err, "finding publish failed")
}
if r != nil {
if r.FailedCount != 0 {
o.FailedCount += r.FailedCount
}
if r.SuccessCount != 0 {
o.SuccessCount += r.SuccessCount
}
o.FailedFindings = append(o.FailedFindings, r.FailedFindings...)
if r.FailedCount != nil {
o.FailedCount += *r.FailedCount
}
if r.SuccessCount != nil {
o.SuccessCount += *r.SuccessCount
}
for _, ff := range r.FailedFindings {
o.FailedFindings = append(o.FailedFindings, ff)
}
}
return &o, errs

68
internal/findings/publisher_test.go Normal file
View File

@@ -0,0 +1,68 @@
package findings
import (
"testing"
"github.com/aws/aws-sdk-go/service/securityhub"
"github.com/aws/aws-sdk-go/service/securityhub/securityhubiface"
)
// Define a mock struct to be used in your unit tests of myFunc.
type MockSHClient struct {
securityhubiface.SecurityHubAPI
Batches int
NumberOfFinding int
}
func NewMockSHClient() *MockSHClient {
return &MockSHClient{}
}
func (m *MockSHClient) BatchImportFindings(input *securityhub.BatchImportFindingsInput) (*securityhub.BatchImportFindingsOutput, error) {
o := securityhub.BatchImportFindingsOutput{}
m.Batches++
m.NumberOfFinding = len(input.Findings)
return &o, nil
}
func TestPublisher_publishFinding(t *testing.T) {
type fields struct {
client *MockSHClient
}
type args struct {
finding []*securityhub.AwsSecurityFinding
}
tests := []struct {
name string
fields fields
args args
wantBatchCount int
wantFindingCount int
}{
{"Test single finding", fields{NewMockSHClient()}, args{makeFindings(1)}, 1, 1},
{"Test 150 finding should return 2 batches", fields{NewMockSHClient()}, args{makeFindings(150)}, 2, 150},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
p := New(tt.fields.client)
p.PublishFinding(tt.args.finding)
if tt.fields.client.NumberOfFinding != tt.wantFindingCount {
t.Errorf("Publisher.publishFinding() want = %v, got %v", tt.wantFindingCount, tt.fields.client.NumberOfFinding)
}
if tt.fields.client.Batches != tt.wantBatchCount {
t.Errorf("Publisher.publishFinding() want = %v, got %v", tt.wantBatchCount, tt.fields.client.Batches)
}
})
}
}
func makeFindings(count int) []*securityhub.AwsSecurityFinding {
var findings []*securityhub.AwsSecurityFinding
for i := 0; i < count; i++ {
t := securityhub.AwsSecurityFinding{}
findings = append(findings, &t)
}
return findings
}

12
job-ack.yaml
View File

@@ -9,16 +9,8 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command:
[
"kube-bench",
"run",
"--targets",
"node,policies,managedservices",
"--benchmark",
"ack-1.0",
]
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "ack-1.0"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

5
job-aks.yaml
View File

@@ -9,9 +9,8 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command:
["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "aks-1.0"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

20
job-eks-asff.yaml
View File

@@ -32,22 +32,8 @@ spec:
- name: kube-bench
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: docker.io/aquasec/kube-bench:latest
command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.1.0",
"--asff",
]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1", "--asff"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
@@ -59,7 +45,7 @@ spec:
mountPath: /etc/kubernetes
readOnly: true
- name: kube-bench-eks-config
mountPath: "/opt/kube-bench/cfg/eks-1.1.0/config.yaml"
mountPath: "/opt/kube-bench/cfg/eks-1.0.1/config.yaml"
subPath: config.yaml
readOnly: true
restartPolicy: Never

43
job-eks-stig.yaml
View File

@@ -1,43 +0,0 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: kube-bench
spec:
template:
spec:
hostPID: true
containers:
- name: kube-bench
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: docker.io/aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command:
[
"kube-bench",
"run",
"--benchmark",
"eks-stig-kubernetes-v1r6",
]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
restartPolicy: Never
volumes:
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
- name: etc-systemd
hostPath:
path: "/etc/systemd"
- name: etc-kubernetes
hostPath:
path: "/etc/kubernetes"

12
job-eks.yaml
View File

@@ -11,17 +11,9 @@ spec:
- name: kube-bench
# Push the image to your ECR and then refer to it here
# image: <ID.dkr.ecr.region.amazonaws.com/aquasec/kube-bench:ref>
image: docker.io/aquasec/kube-bench:latest
image: aquasec/kube-bench:latest
# To send findings to AWS Security Hub, refer to `job-eks-asff.yaml` instead
command:
[
"kube-bench",
"run",
"--targets",
"node",
"--benchmark",
"eks-1.1.0",
]
command: ["kube-bench", "run", "--targets", "node", "--benchmark", "eks-1.0.1"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

12
job-gke.yaml
View File

@@ -9,16 +9,8 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command:
[
"kube-bench",
"run",
"--targets",
"node,policies,managedservices",
"--benchmark",
"gke-1.2.0",
]
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node,policies,managedservices", "--benchmark", "gke-1.2.0"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

5
job-iks.yaml
View File

@@ -9,9 +9,8 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
command:
["kube-bench", "run", "--targets", "node", "--version", "1.20"]
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node", "--version", "1.20"]
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet

17
job-master.yaml
View File

@@ -7,26 +7,15 @@ spec:
template:
spec:
hostPID: true
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
- matchExpressions:
- key: node-role.kubernetes.io/master
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "master"]
volumeMounts:
- name: var-lib-etcd

2
job-node.yaml
View File

@@ -9,7 +9,7 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:latest
image: aquasec/kube-bench:latest
command: ["kube-bench", "run", "--targets", "node"]
volumeMounts:
- name: var-lib-etcd

2
job.yaml
View File

@@ -12,7 +12,7 @@ spec:
hostPID: true
containers:
- name: kube-bench
image: docker.io/aquasec/kube-bench:v0.6.14
image: aquasec/kube-bench:v0.6.8
command: ["kube-bench"]
volumeMounts:
- name: var-lib-etcd

19
makefile
View File

@@ -4,7 +4,6 @@ DOCKER_ORG ?= aquasec
VERSION ?= $(shell git rev-parse --short=7 HEAD)
KUBEBENCH_VERSION ?= $(shell git describe --tags --abbrev=0)
IMAGE_NAME ?= $(DOCKER_ORG)/$(BINARY):$(VERSION)
IMAGE_NAME_UBI ?= $(DOCKER_ORG)/$(BINARY):$(VERSION)-ubi
GOOS ?= linux
BUILD_OS := linux
uname := $(shell uname -s)
@@ -46,12 +45,6 @@ build-docker:
--build-arg KUBEBENCH_VERSION=$(KUBEBENCH_VERSION) \
-t $(IMAGE_NAME) .
build-docker-ubi:
docker build -f Dockerfile.ubi --build-arg BUILD_DATE=$(shell date -u +"%Y-%m-%dT%H:%M:%SZ") \
--build-arg VCS_REF=$(VERSION) \
--build-arg KUBEBENCH_VERSION=$(KUBEBENCH_VERSION) \
-t $(IMAGE_NAME_UBI) .
# unit tests
tests:
GO111MODULE=on go test -vet all -short -race -timeout 30s -coverprofile=coverage.txt -covermode=atomic ./...
@@ -85,15 +78,3 @@ kind-run: kind-push
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
kubectl logs job/kube-bench > ./test.data && \
diff ./test.data integration/testdata/Expected_output.data
kind-run-stig: KUBECONFIG = "./kubeconfig.kube-bench"
kind-run-stig: kind-push
sed "s/\$${VERSION}/$(VERSION)/" ./hack/kind-stig.yaml > ./hack/kind-stig.test.yaml
kind get kubeconfig --name="$(KIND_PROFILE)" > $(KUBECONFIG)
-KUBECONFIG=$(KUBECONFIG) \
kubectl delete job kube-bench
KUBECONFIG=$(KUBECONFIG) \
kubectl apply -f ./hack/kind-stig.test.yaml && \
kubectl wait --for=condition=complete job.batch/kube-bench --timeout=60s && \
kubectl logs job/kube-bench > ./test.data && \
diff ./test.data integration/testdata/Expected_output_stig.data