Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update rke-cis-1.24 benchmarks: corrected errors and tests #1570

Merged
merged 1 commit into from
Feb 15, 2024
Merged

update rke-cis-1.24 benchmarks: corrected errors and tests #1570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cfg/rke-cis-1.24/controlplane.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ groups:
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
text: "Ensure that a minimal audit policy is created (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
Expand Down
74 changes: 36 additions & 38 deletions cfg/rke-cis-1.24/master.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,16 @@ groups:
text: "Control Plane Node Configuration Files"
checks:
- id: 1.1.1
text: "Ensure that the API server pod specification file permissions are set to 600 or more restrictive (Automated)"
type: "skip"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf;else echo \"File not found\"; fi'"
tests:
bin_op: or
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
value: "644"
- flag: "File not found"
remediation: |
Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver.
All configuration is passed in as arguments at container run time.
Expand Down Expand Up @@ -138,7 +139,7 @@ groups:
scored: false

- id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
text: "Ensure that the Container Network Interface file ownership is set to root:root (Automated)"
audit: |
ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
Expand All @@ -150,7 +151,7 @@ groups:
Run the below command (based on the file location on your system) on the control plane node.
For example,
chown root:root <path/to/cni/files>
scored: false
scored: true

- id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
Expand Down Expand Up @@ -286,11 +287,13 @@ groups:
scored: true

- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Manual)"
audit: "find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a"
use_multiple_values: true
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive (Automated)"
audit: |
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' | xargs stat -c permissions=%a;else echo "File not found"; fi
tests:
bin_op: or
test_items:
- flag: "File not found"
- flag: "permissions"
compare:
op: bitmask
Expand All @@ -299,23 +302,25 @@ groups:
Run the below command (based on the file location on your system) on the control plane node.
For example,
find /node/etc/kubernetes/ssl/ -name '*.pem' ! -name '*key.pem' -exec chmod -R 600 {} +
scored: false
scored: true

- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
audit: "find /node/etc/kubernetes/ssl/ -name '*key.pem' | xargs stat -c permissions=%a"
use_multiple_values: true
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated)"
audit: |
if test -n "$(find /node/etc/kubernetes/ssl/ -name '*.pem')"; then find /node/etc/kubernetes/ssl/ -name '*.pem' | xargs stat -c permissions=%a;else echo \"File not found\"; fi
tests:
bin_op: or
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
- flag: "File not found"
remediation: |
Run the below command (based on the file location on your system) on the control plane node.
For example,
find /node/etc/kubernetes/ssl/ -name '*key.pem' -exec chmod -R 600 {} +
scored: false
scored: true

- id: 1.2
text: "API Server"
Expand Down Expand Up @@ -369,20 +374,17 @@ groups:
scored: true

- id: 1.2.4
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
text: "Ensure that the --kubelet-https argument is set to true (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
- flag: "--kubelet-client-key"
- flag: "--kubelet-https"
compare:
op: eq
value: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and kubelets. Then, edit API server pod specification file
$apiserverconf on the control plane node and set the
kubelet client certificate and key parameters as below.
--kubelet-client-certificate=<path/to/client-certificate-file>
--kubelet-client-key=<path/to/client-key-file>
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the control plane node and remove the --kubelet-https parameter.
scored: true

- id: 1.2.5
Expand All @@ -406,7 +408,6 @@ groups:

- id: 1.2.6
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
type: "skip"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
Expand Down Expand Up @@ -471,7 +472,7 @@ groups:
scored: true

- id: 1.2.10
text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
text: "Ensure that the admission control plugin EventRateLimit is set (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
Expand All @@ -486,7 +487,7 @@ groups:
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
scored: false
scored: true

- id: 1.2.11
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
Expand Down Expand Up @@ -521,7 +522,7 @@ groups:
on the control plane node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
scored: false
scored: true

- id: 1.2.13
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Automated)"
Expand All @@ -542,7 +543,7 @@ groups:
on the control plane node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
scored: false
scored: true

- id: 1.2.14
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
Expand Down Expand Up @@ -810,8 +811,7 @@ groups:
scored: true

- id: 1.2.30
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
type: "skip"
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
Expand All @@ -822,11 +822,10 @@ groups:
Then, edit the API server pod specification file $apiserverconf
on the control plane node and set the --encryption-provider-config parameter to the path of that file.
For example, --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: false
scored: true

- id: 1.2.31
text: "Ensure that encryption providers are appropriately configured (Manual)"
type: "skip"
text: "Ensure that encryption providers are appropriately configured (Automated)"
audit: |
ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%')
if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
Expand All @@ -840,7 +839,7 @@ groups:
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
Enabling encryption changes how data can be recovered as data is encrypted.
scored: false
scored: true

- id: 1.2.32
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"
Expand All @@ -862,13 +861,13 @@ groups:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
scored: false
scored: true

- id: 1.3
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
Expand Down Expand Up @@ -941,7 +940,6 @@ groups:

- id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
type: "skip"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
bin_op: or
Expand Down
21 changes: 8 additions & 13 deletions cfg/rke-cis-1.24/node.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ groups:
checks:
- id: 4.1.1
text: "Ensure that the kubelet service file permissions are set to 600 or more restrictive (Automated)"
type: "skip"
audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
tests:
test_items:
Expand All @@ -37,7 +36,7 @@ groups:
scored: true

- id: 4.1.3
text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Manual)"
text: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
tests:
bin_op: or
Expand All @@ -54,10 +53,9 @@ groups:
scored: true

- id: 4.1.4
text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)"
text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
tests:
bin_op: or
test_items:
- flag: root:root
remediation: |
Expand Down Expand Up @@ -121,8 +119,7 @@ groups:
scored: true

- id: 4.1.9
text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Manual)"
type: "skip"
text: "If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
tests:
test_items:
Expand All @@ -136,8 +133,7 @@ groups:
scored: true

- id: 4.1.10
text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Manual)"
type: "skip"
text: "If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automated)"
audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
tests:
test_items:
Expand Down Expand Up @@ -323,7 +319,7 @@ groups:
# This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
type: "skip"
type: "manual"
audit: "/bin/ps -fC $kubeletbin "
tests:
test_items:
Expand Down Expand Up @@ -361,8 +357,7 @@ groups:
scored: true

- id: 4.2.10
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
type: "skip"
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
Expand All @@ -384,7 +379,7 @@ groups:
systemctl daemon-reload
systemctl restart kubelet.service
When generating serving certificates, functionality could break in conjunction with hostname overrides which are required for certain cloud providers.
scored: false
scored: true

- id: 4.2.11
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
Expand Down Expand Up @@ -415,7 +410,7 @@ groups:

- id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type: "skip"
type: "manual"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests:
Expand Down
Loading
Loading