diff --git a/cfg/cis-1.20/config.yaml b/cfg/cis-1.20/config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b7839455a64a067a15886474164b6d4476c49133
--- /dev/null
+++ b/cfg/cis-1.20/config.yaml
@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
diff --git a/cfg/cis-1.20/controlplane.yaml b/cfg/cis-1.20/controlplane.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6ed4453121f980b32e9f28b526d11c2b319a53fb
--- /dev/null
+++ b/cfg/cis-1.20/controlplane.yaml
@@ -0,0 +1,39 @@
+---
+controls:
+version: "cis-1.6"
+id: 3
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+ - id: 3.1
+ text: "Authentication and Authorization"
+ checks:
+ - id: 3.1.1
+ text: "Client certificate authentication should not be used for users (Manual)"
+ type: "manual"
+ remediation: |
+ Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
+ implemented in place of client certificates.
+ scored: false
+
+ - id: 3.2
+ text: "Logging"
+ checks:
+ - id: 3.2.1
+ text: "Ensure that a minimal audit policy is created (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-policy-file"
+ set: true
+ remediation: |
+ Create an audit policy file for your cluster.
+ scored: false
+
+ - id: 3.2.2
+ text: "Ensure that the audit policy covers key security concerns (Manual)"
+ type: "manual"
+ remediation: |
+ Consider modification of the audit policy in use on the cluster to include these items, at a
+ minimum.
+ scored: false
diff --git a/cfg/cis-1.20/etcd.yaml b/cfg/cis-1.20/etcd.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6e9196ba5479885ab3ba65ea0115d61d136e267c
--- /dev/null
+++ b/cfg/cis-1.20/etcd.yaml
@@ -0,0 +1,135 @@
+---
+controls:
+version: "cis-1.6"
+id: 2
+text: "Etcd Node Configuration"
+type: "etcd"
+groups:
+ - id: 2
+ text: "Etcd Node Configuration Files"
+ checks:
+ - id: 2.1
+ text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--cert-file"
+ env: "ETCD_CERT_FILE"
+ - flag: "--key-file"
+ env: "ETCD_KEY_FILE"
+ remediation: |
+ Follow the etcd service documentation and configure TLS encryption.
+ Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
+ on the master node and set the below parameters.
+ --cert-file=</path/to/ca-file>
+ --key-file=</path/to/key-file>
+ scored: true
+
+ - id: 2.2
+ text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-cert-auth"
+ env: "ETCD_CLIENT_CERT_AUTH"
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ Edit the etcd pod specification file $etcdconf on the master
+ node and set the below parameter.
+ --client-cert-auth="true"
+ scored: true
+
+ - id: 2.3
+ text: "Ensure that the --auto-tls argument is not set to true (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--auto-tls"
+ env: "ETCD_AUTO_TLS"
+ set: false
+ - flag: "--auto-tls"
+ env: "ETCD_AUTO_TLS"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the etcd pod specification file $etcdconf on the master
+ node and either remove the --auto-tls parameter or set it to false.
+ --auto-tls=false
+ scored: true
+
+ - id: 2.4
+ text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
+ set as appropriate (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--peer-cert-file"
+ env: "ETCD_PEER_CERT_FILE"
+ - flag: "--peer-key-file"
+ env: "ETCD_PEER_KEY_FILE"
+ remediation: |
+ Follow the etcd service documentation and configure peer TLS encryption as appropriate
+ for your etcd cluster.
+ Then, edit the etcd pod specification file $etcdconf on the
+ master node and set the below parameters.
+ --peer-client-file=</path/to/peer-cert-file>
+ --peer-key-file=</path/to/peer-key-file>
+ scored: true
+
+ - id: 2.5
+ text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ test_items:
+ - flag: "--peer-client-cert-auth"
+ env: "ETCD_PEER_CLIENT_CERT_AUTH"
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ Edit the etcd pod specification file $etcdconf on the master
+ node and set the below parameter.
+ --peer-client-cert-auth=true
+ scored: true
+
+ - id: 2.6
+ text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--peer-auto-tls"
+ env: "ETCD_PEER_AUTO_TLS"
+ set: false
+ - flag: "--peer-auto-tls"
+ env: "ETCD_PEER_AUTO_TLS"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the etcd pod specification file $etcdconf on the master
+ node and either remove the --peer-auto-tls parameter or set it to false.
+ --peer-auto-tls=false
+ scored: true
+
+ - id: 2.7
+ text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
+ audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+ tests:
+ test_items:
+ - flag: "--trusted-ca-file"
+ env: "ETCD_TRUSTED_CA_FILE"
+ remediation: |
+ [Manual test]
+ Follow the etcd documentation and create a dedicated certificate authority setup for the
+ etcd service.
+ Then, edit the etcd pod specification file $etcdconf on the
+ master node and set the below parameter.
+ --trusted-ca-file=</path/to/ca-file>
+ scored: false
diff --git a/cfg/cis-1.20/master.yaml b/cfg/cis-1.20/master.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..327d7a3a9c221143154eb0ec5850106ac5206172
--- /dev/null
+++ b/cfg/cis-1.20/master.yaml
@@ -0,0 +1,989 @@
+---
+controls:
+version: "cis-1.6"
+id: 1
+text: "Master Node Security Configuration"
+type: "master"
+groups:
+ - id: 1.1
+ text: "Master Node Configuration Files"
+ checks:
+ - id: 1.1.1
+ text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c permissions=%a $apiserverconf; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the
+ master node.
+ For example, chmod 644 $apiserverconf
+ scored: true
+
+ - id: 1.1.2
+ text: "Ensure that the API server pod specification file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $apiserverconf
+ scored: true
+
+ - id: 1.1.3
+ text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c permissions=%a $controllermanagerconf; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 $controllermanagerconf
+ scored: true
+
+ - id: 1.1.4
+ text: "Ensure that the controller manager pod specification file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $controllermanagerconf
+ scored: true
+
+ - id: 1.1.5
+ text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c permissions=%a $schedulerconf; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 $schedulerconf
+ scored: true
+
+ - id: 1.1.6
+ text: "Ensure that the scheduler pod specification file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $schedulerconf
+ scored: true
+
+ - id: 1.1.7
+ text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c permissions=%a; fi'"
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 $etcdconf
+ scored: true
+
+ - id: 1.1.8
+ text: "Ensure that the etcd pod specification file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $etcdconf; then find $etcdconf -name '*etcd*' | xargs stat -c %U:%G; fi'"
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $etcdconf
+ scored: true
+
+ - id: 1.1.9
+ text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c permissions=%a
+ find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c permissions=%a
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 <path/to/cni/files>
+ scored: false
+
+ - id: 1.1.10
+ text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
+ audit: |
+ ps -ef | grep $kubeletbin | grep -- --cni-conf-dir | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs xargs --no-run-if-empty stat -c %U:%G
+ find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root <path/to/cni/files>
+ scored: false
+
+ - id: 1.1.11
+ text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
+ audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c permissions=%a
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "700"
+ remediation: |
+ On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
+ from the below command:
+ ps -ef | grep etcd
+ Run the below command (based on the etcd data directory found above). For example,
+ chmod 700 /var/lib/etcd
+ scored: true
+
+ - id: 1.1.12
+ text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
+ audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
+ tests:
+ test_items:
+ - flag: "etcd:etcd"
+ remediation: |
+ On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
+ from the below command:
+ ps -ef | grep etcd
+ Run the below command (based on the etcd data directory found above).
+ For example, chown etcd:etcd /var/lib/etcd
+ scored: true
+
+ - id: 1.1.13
+ text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c permissions=%a /etc/kubernetes/admin.conf; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 /etc/kubernetes/admin.conf
+ scored: true
+
+ - id: 1.1.14
+ text: "Ensure that the admin.conf file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root /etc/kubernetes/admin.conf
+ scored: true
+
+ - id: 1.1.15
+ text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c permissions=%a $schedulerkubeconfig; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 $schedulerkubeconfig
+ scored: true
+
+ - id: 1.1.16
+ text: "Ensure that the scheduler.conf file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $schedulerkubeconfig; then stat -c %U:%G $schedulerkubeconfig; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $schedulerkubeconfig
+ scored: true
+
+ - id: 1.1.17
+ text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)"
+ audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c permissions=%a $controllermanagerkubeconfig; fi'"
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod 644 $controllermanagerkubeconfig
+ scored: true
+
+ - id: 1.1.18
+ text: "Ensure that the controller-manager.conf file ownership is set to root:root (Automated)"
+ audit: "/bin/sh -c 'if test -e $controllermanagerkubeconfig; then stat -c %U:%G $controllermanagerkubeconfig; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown root:root $controllermanagerkubeconfig
+ scored: true
+
+ - id: 1.1.19
+ text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)"
+ audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "root:root"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chown -R root:root /etc/kubernetes/pki/
+ scored: true
+
+ - id: 1.1.20
+ text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)"
+ audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod -R 644 /etc/kubernetes/pki/*.crt
+ scored: false
+
+ - id: 1.1.21
+ text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
+ audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
+ use_multiple_values: true
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "600"
+ remediation: |
+ Run the below command (based on the file location on your system) on the master node.
+ For example,
+ chmod -R 600 /etc/kubernetes/pki/*.key
+ scored: false
+
+ - id: 1.2
+ text: "API Server"
+ checks:
+ - id: 1.2.1
+ text: "Ensure that the --anonymous-auth argument is set to false (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the below parameter.
+ --anonymous-auth=false
+ scored: false
+
+ - id: 1.2.2
+ text: "Ensure that the --token-auth-file parameter is not set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--token-auth-file"
+ set: false
+ remediation: |
+ Follow the documentation and configure alternate mechanisms for authentication. Then,
+ edit the API server pod specification file $apiserverconf
+ on the master node and remove the --token-auth-file=<filename> parameter.
+ scored: true
+
+ - id: 1.2.3
+ text: "Ensure that the --kubelet-https argument is set to true (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--kubelet-https"
+ compare:
+ op: eq
+ value: true
+ - flag: "--kubelet-https"
+ set: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and remove the --kubelet-https parameter.
+ scored: true
+
+ - id: 1.2.4
+ text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--kubelet-client-certificate"
+ - flag: "--kubelet-client-key"
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection between the
+ apiserver and kubelets. Then, edit API server pod specification file
+ $apiserverconf on the master node and set the
+ kubelet client certificate and key parameters as below.
+ --kubelet-client-certificate=<path/to/client-certificate-file>
+ --kubelet-client-key=<path/to/client-key-file>
+ scored: true
+
+ - id: 1.2.5
+ text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--kubelet-certificate-authority"
+ remediation: |
+ Follow the Kubernetes documentation and setup the TLS connection between
+ the apiserver and kubelets. Then, edit the API server pod specification file
+ $apiserverconf on the master node and set the
+ --kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
+ --kubelet-certificate-authority=<ca-string>
+ scored: true
+
+ - id: 1.2.6
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: nothave
+ value: "AlwaysAllow"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --authorization-mode parameter to values other than AlwaysAllow.
+ One such example could be as below.
+ --authorization-mode=RBAC
+ scored: true
+
+ - id: 1.2.7
+ text: "Ensure that the --authorization-mode argument includes Node (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: has
+ value: "Node"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --authorization-mode parameter to a value that includes Node.
+ --authorization-mode=Node,RBAC
+ scored: true
+
+ - id: 1.2.8
+ text: "Ensure that the --authorization-mode argument includes RBAC (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: has
+ value: "RBAC"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --authorization-mode parameter to a value that includes RBAC,
+ for example:
+ --authorization-mode=Node,RBAC
+ scored: true
+
+ - id: 1.2.9
+ text: "Ensure that the admission control plugin EventRateLimit is set (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "EventRateLimit"
+ remediation: |
+ Follow the Kubernetes documentation and set the desired limits in a configuration file.
+ Then, edit the API server pod specification file $apiserverconf
+ and set the below parameters.
+ --enable-admission-plugins=...,EventRateLimit,...
+ --admission-control-config-file=<path/to/configuration/file>
+ scored: false
+
+ - id: 1.2.10
+ text: "Ensure that the admission control plugin AlwaysAdmit is not set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: nothave
+ value: AlwaysAdmit
+ - flag: "--enable-admission-plugins"
+ set: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and either remove the --enable-admission-plugins parameter, or set it to a
+ value that does not include AlwaysAdmit.
+ scored: true
+
+ - id: 1.2.11
+ text: "Ensure that the admission control plugin AlwaysPullImages is set (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "AlwaysPullImages"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --enable-admission-plugins parameter to include
+ AlwaysPullImages.
+ --enable-admission-plugins=...,AlwaysPullImages,...
+ scored: false
+
+ - id: 1.2.12
+ text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "SecurityContextDeny"
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "PodSecurityPolicy"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --enable-admission-plugins parameter to include
+ SecurityContextDeny, unless PodSecurityPolicy is already in place.
+ --enable-admission-plugins=...,SecurityContextDeny,...
+ scored: false
+
+ - id: 1.2.13
+ text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--disable-admission-plugins"
+ compare:
+ op: nothave
+ value: "ServiceAccount"
+ - flag: "--disable-admission-plugins"
+ set: false
+ remediation: |
+ Follow the documentation and create ServiceAccount objects as per your environment.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and ensure that the --disable-admission-plugins parameter is set to a
+ value that does not include ServiceAccount.
+ scored: true
+
+ - id: 1.2.14
+ text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--disable-admission-plugins"
+ compare:
+ op: nothave
+ value: "NamespaceLifecycle"
+ - flag: "--disable-admission-plugins"
+ set: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --disable-admission-plugins parameter to
+ ensure it does not include NamespaceLifecycle.
+ scored: true
+
+ - id: 1.2.15
+ text: "Ensure that the admission control plugin PodSecurityPolicy is set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "PodSecurityPolicy"
+ remediation: |
+ Follow the documentation and create Pod Security Policy objects as per your environment.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the --enable-admission-plugins parameter to a
+ value that includes PodSecurityPolicy:
+ --enable-admission-plugins=...,PodSecurityPolicy,...
+ Then restart the API Server.
+ scored: true
+
+ - id: 1.2.16
+ text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--enable-admission-plugins"
+ compare:
+ op: has
+ value: "NodeRestriction"
+ remediation: |
+ Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the --enable-admission-plugins parameter to a
+ value that includes NodeRestriction.
+ --enable-admission-plugins=...,NodeRestriction,...
+ scored: true
+
+ - id: 1.2.17
+ text: "Ensure that the --insecure-bind-address argument is not set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-bind-address"
+ set: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and remove the --insecure-bind-address parameter.
+ scored: true
+
+ - id: 1.2.18
+ text: "Ensure that the --insecure-port argument is set to 0 (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-port"
+ compare:
+ op: eq
+ value: 0
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the below parameter.
+ --insecure-port=0
+ scored: true
+
+ - id: 1.2.19
+ text: "Ensure that the --secure-port argument is not set to 0 (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--secure-port"
+ compare:
+ op: gt
+ value: 0
+ - flag: "--secure-port"
+ set: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and either remove the --secure-port parameter or
+ set it to a different (non-zero) desired port.
+ scored: true
+
+ - id: 1.2.20
+ text: "Ensure that the --profiling argument is set to false (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the below parameter.
+ --profiling=false
+ scored: true
+
+ - id: 1.2.21
+ text: "Ensure that the --audit-log-path argument is set (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-path"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --audit-log-path parameter to a suitable path and
+ file where you would like audit logs to be written, for example:
+ --audit-log-path=/var/log/apiserver/audit.log
+ scored: true
+
+ - id: 1.2.22
+ text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxage"
+ compare:
+ op: gte
+ value: 30
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
+ --audit-log-maxage=30
+ scored: true
+
+ - id: 1.2.23
+ text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxbackup"
+ compare:
+ op: gte
+ value: 10
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
+ value.
+ --audit-log-maxbackup=10
+ scored: true
+
+ - id: 1.2.24
+ text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxsize"
+ compare:
+ op: gte
+ value: 100
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
+ For example, to set it as 100 MB:
+ --audit-log-maxsize=100
+ scored: true
+
+ - id: 1.2.25
+ text: "Ensure that the --request-timeout argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ type: manual
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ and set the below parameter as appropriate and if needed.
+ For example,
+ --request-timeout=300s
+ scored: true
+
+ - id: 1.2.26
+ text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--service-account-lookup"
+ set: false
+ - flag: "--service-account-lookup"
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the below parameter.
+ --service-account-lookup=true
+ Alternatively, you can delete the --service-account-lookup parameter from this file so
+ that the default takes effect.
+ scored: true
+
+ - id: 1.2.27
+ text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-key-file"
+ remediation: |
+ Edit the API server pod specification file $apiserverconf
+ on the master node and set the --service-account-key-file parameter
+ to the public key file for service accounts:
+ --service-account-key-file=<filename>
+ scored: true
+
+ - id: 1.2.28
+ text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--etcd-certfile"
+ - flag: "--etcd-keyfile"
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the etcd certificate and key file parameters.
+ --etcd-certfile=<path/to/client-certificate-file>
+ --etcd-keyfile=<path/to/client-key-file>
+ scored: true
+
+ - id: 1.2.29
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--tls-cert-file"
+ - flag: "--tls-private-key-file"
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the TLS certificate and private key file parameters.
+ --tls-cert-file=<path/to/tls-certificate-file>
+ --tls-private-key-file=<path/to/tls-key-file>
+ scored: true
+
+ - id: 1.2.30
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-ca-file"
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the client certificate authority file.
+ --client-ca-file=<path/to/client-ca-file>
+ scored: true
+
+ - id: 1.2.31
+ text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--etcd-cafile"
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the etcd certificate authority file parameter.
+ --etcd-cafile=<path/to/ca-file>
+ scored: true
+
+ - id: 1.2.32
+ text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--encryption-provider-config"
+ remediation: |
+ Follow the Kubernetes documentation and configure a EncryptionConfig file.
+ Then, edit the API server pod specification file $apiserverconf
+ on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
+ scored: false
+
+ - id: 1.2.33
+ text: "Ensure that encryption providers are appropriately configured (Manual)"
+ audit: |
+ ENCRYPTION_PROVIDER_CONFIG=$(ps -ef | grep $apiserverbin | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%')
+ if test -e $ENCRYPTION_PROVIDER_CONFIG; then grep -A1 'providers:' $ENCRYPTION_PROVIDER_CONFIG | tail -n1 | grep -o "[A-Za-z]*" | sed 's/^/provider=/'; fi
+ tests:
+ test_items:
+ - flag: "provider"
+ compare:
+ op: valid_elements
+ value: "aescbc,kms,secretbox"
+ remediation: |
+ Follow the Kubernetes documentation and configure a EncryptionConfig file.
+ In this file, choose aescbc, kms or secretbox as the encryption provider.
+ scored: false
+
+ - id: 1.2.34
+ text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--tls-cipher-suites"
+ compare:
+ op: valid_elements
+ value: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+ remediation: |
+ Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+ on the master node and set the below parameter.
+ --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
+ _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
+ _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
+ _SHA384
+ scored: false
+
+ - id: 1.3
+ text: "Controller Manager"
+ checks:
+ - id: 1.3.1
+ text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--terminated-pod-gc-threshold"
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
+ for example:
+ --terminated-pod-gc-threshold=10
+ scored: false
+
+ - id: 1.3.2
+ text: "Ensure that the --profiling argument is set to false (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and set the below parameter.
+ --profiling=false
+ scored: true
+
+ - id: 1.3.3
+ text: "Ensure that the --use-service-account-credentials argument is set to true (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--use-service-account-credentials"
+ compare:
+ op: noteq
+ value: false
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node to set the below parameter.
+ --use-service-account-credentials=true
+ scored: true
+
+ - id: 1.3.4
+ text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-private-key-file"
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and set the --service-account-private-key-file parameter
+ to the private key file for service accounts.
+ --service-account-private-key-file=<filename>
+ scored: true
+
+ - id: 1.3.5
+ text: "Ensure that the --root-ca-file argument is set as appropriate (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--root-ca-file"
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and set the --root-ca-file parameter to the certificate bundle file`.
+ --root-ca-file=<path/to/file>
+ scored: true
+
+ - id: 1.3.6
+ text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--feature-gates"
+ compare:
+ op: nothave
+ value: "RotateKubeletServerCertificate=false"
+ set: true
+ - flag: "--feature-gates"
+ set: false
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
+ --feature-gates=RotateKubeletServerCertificate=true
+ scored: true
+
+ - id: 1.3.7
+ text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
+ audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--bind-address"
+ compare:
+ op: eq
+ value: "127.0.0.1"
+ - flag: "--bind-address"
+ set: false
+ remediation: |
+ Edit the Controller Manager pod specification file $controllermanagerconf
+ on the master node and ensure the correct value for the --bind-address parameter
+ scored: true
+
+ - id: 1.4
+ text: "Scheduler"
+ checks:
+ - id: 1.4.1
+ text: "Ensure that the --profiling argument is set to false (Automated)"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ Edit the Scheduler pod specification file $schedulerconf file
+ on the master node and set the below parameter.
+ --profiling=false
+ scored: true
+
+ - id: 1.4.2
+ text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
+ audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--bind-address"
+ compare:
+ op: eq
+ value: "127.0.0.1"
+ - flag: "--bind-address"
+ set: false
+ remediation: |
+ Edit the Scheduler pod specification file $schedulerconf
+ on the master node and ensure the correct value for the --bind-address parameter
+ scored: true
diff --git a/cfg/cis-1.20/node.yaml b/cfg/cis-1.20/node.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..7f787910d86ceb650674a30effb74da2a7f83c92
--- /dev/null
+++ b/cfg/cis-1.20/node.yaml
@@ -0,0 +1,463 @@
+---
+controls:
+version: "cis-1.6"
+id: 4
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+ - id: 4.1
+ text: "Worker Node Configuration Files"
+ checks:
+ - id: 4.1.1
+ text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c permissions=%a $kubeletsvc; fi'' '
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chmod 644 $kubeletsvc
+ scored: true
+
+ - id: 4.1.2
+ text: "Ensure that the kubelet service file ownership is set to root:root (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletsvc; then stat -c %U:%G $kubeletsvc; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chown root:root $kubeletsvc
+ scored: true
+
+ - id: 4.1.3
+ text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"
+ audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "permissions"
+ set: true
+ compare:
+ op: bitmask
+ value: "644"
+ - flag: "$proxykubeconfig"
+ set: false
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chmod 644 $proxykubeconfig
+ scored: false
+
+ - id: 4.1.4
+ text: "If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)"
+ audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
+ tests:
+ bin_op: or
+ test_items:
+ - flag: root:root
+ - flag: "$proxykubeconfig"
+ set: false
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example, chown root:root $proxykubeconfig
+ scored: false
+
+ - id: 4.1.5
+ text: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c permissions=%a $kubeletkubeconfig; fi'' '
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chmod 644 $kubeletkubeconfig
+ scored: true
+
+ - id: 4.1.6
+ text: "Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)"
+ audit: '/bin/sh -c ''if test -e $kubeletkubeconfig; then stat -c %U:%G $kubeletkubeconfig; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ remediation: |
+ Run the below command (based on the file location on your system) on the each worker node.
+ For example,
+ chown root:root $kubeletkubeconfig
+ scored: false
+
+ - id: 4.1.7
+ text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)"
+ audit: |
+ CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+ if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
+ if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the following command to modify the file permissions of the
+ --client-ca-file chmod 644 <filename>
+ scored: false
+
+ - id: 4.1.8
+ text: "Ensure that the client certificate authorities file ownership is set to root:root (Manual)"
+ audit: |
+ CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
+ if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
+ if test -e $CAFILE; then stat -c %U:%G $CAFILE; fi
+ tests:
+ test_items:
+ - flag: root:root
+ compare:
+ op: eq
+ value: root:root
+ remediation: |
+ Run the following command to modify the ownership of the --client-ca-file.
+ chown root:root <filename>
+ scored: false
+
+ - id: 4.1.9
+ text: "Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c permissions=%a $kubeletconf; fi'' '
+ tests:
+ test_items:
+ - flag: "permissions"
+ compare:
+ op: bitmask
+ value: "644"
+ remediation: |
+ Run the following command (using the config file location identified in the Audit step)
+ chmod 644 $kubeletconf
+ scored: true
+
+ - id: 4.1.10
+ text: "Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)"
+ audit: '/bin/sh -c ''if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'' '
+ tests:
+ test_items:
+ - flag: root:root
+ remediation: |
+ Run the following command (using the config file location identified in the Audit step)
+ chown root:root $kubeletconf
+ scored: true
+
+ - id: 4.2
+ text: "Kubelet"
+ checks:
+ - id: 4.2.1
+ text: "Ensure that the anonymous-auth argument is set to false (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ path: '{.authentication.anonymous.enabled}'
+ compare:
+ op: eq
+ value: false
+ remediation: |
+ If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
+ false.
+ If using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --anonymous-auth=false
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 4.2.2
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --authorization-mode
+ path: '{.authorization.mode}'
+ compare:
+ op: nothave
+ value: AlwaysAllow
+ remediation: |
+ If using a Kubelet config file, edit the file to set authorization: mode to Webhook. If
+ using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --authorization-mode=Webhook
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 4.2.3
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --client-ca-file
+ path: '{.authentication.x509.clientCAFile}'
+ remediation: |
+ If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
+ the location of the client CA file.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_AUTHZ_ARGS variable.
+ --client-ca-file=<path/to/client-ca-file>
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 4.2.4
+ text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--read-only-port"
+ path: '{.readOnlyPort}'
+ compare:
+ op: eq
+ value: 0
+ - flag: "--read-only-port"
+ path: '{.readOnlyPort}'
+ set: false
+ remediation: |
+ If using a Kubelet config file, edit the file to set readOnlyPort to 0.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --read-only-port=0
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.5
+ text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --streaming-connection-idle-timeout
+ path: '{.streamingConnectionIdleTimeout}'
+ compare:
+ op: noteq
+ value: 0
+ - flag: --streaming-connection-idle-timeout
+ path: '{.streamingConnectionIdleTimeout}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
+ value other than 0.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --streaming-connection-idle-timeout=5m
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.6
+ text: "Ensure that the --protect-kernel-defaults argument is set to true (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --protect-kernel-defaults
+ path: '{.protectKernelDefaults}'
+ compare:
+ op: eq
+ value: true
+ remediation: |
+ If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ --protect-kernel-defaults=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 4.2.7
+ text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --make-iptables-util-chains
+ path: '{.makeIPTablesUtilChains}'
+ compare:
+ op: eq
+ value: true
+ - flag: --make-iptables-util-chains
+ path: '{.makeIPTablesUtilChains}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ remove the --make-iptables-util-chains argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: true
+
+ - id: 4.2.8
+ text: "Ensure that the --hostname-override argument is not set (Manual)"
+ # This is one of those properties that can only be set as a command line argument.
+ # To check if the property is set as expected, we need to parse the kubelet command
+ # instead reading the Kubelet Configuration file.
+ audit: "/bin/ps -fC $kubeletbin "
+ tests:
+ test_items:
+ - flag: --hostname-override
+ set: false
+ remediation: |
+ Edit the kubelet service file $kubeletsvc
+ on each worker node and remove the --hostname-override argument from the
+ KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.9
+ text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --event-qps
+ path: '{.eventRecordQPS}'
+ compare:
+ op: eq
+ value: 0
+ remediation: |
+ If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate level.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.10
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --tls-cert-file
+ path: '{.tlsCertFile}'
+ - flag: --tls-private-key-file
+ path: '{.tlsPrivateKeyFile}'
+ remediation: |
+ If using a Kubelet config file, edit the file to set tlsCertFile to the location
+ of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
+ to the location of the corresponding private key file.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
+ --tls-cert-file=<path/to/tls-certificate-file>
+ --tls-private-key-file=<path/to/tls-key-file>
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.11
+ text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --rotate-certificates
+ path: '{.rotateCertificates}'
+ compare:
+ op: eq
+ value: true
+ - flag: --rotate-certificates
+ path: '{.rotateCertificates}'
+ set: false
+ bin_op: or
+ remediation: |
+ If using a Kubelet config file, edit the file to add the line rotateCertificates: true or
+ remove it altogether to use the default value.
+ If using command line arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ remove --rotate-certificates=false argument from the KUBELET_CERTIFICATE_ARGS
+ variable.
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.12
+ text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: RotateKubeletServerCertificate
+ path: '{.featureGates.RotateKubeletServerCertificate}'
+ compare:
+ op: nothave
+ value: false
+ - flag: RotateKubeletServerCertificate
+ path: '{.featureGates.RotateKubeletServerCertificate}'
+ set: false
+ remediation: |
+ Edit the kubelet service file $kubeletsvc
+ on each worker node and set the below parameter in KUBELET_CERTIFICATE_ARGS variable.
+ --feature-gates=RotateKubeletServerCertificate=true
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
+
+ - id: 4.2.13
+ text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
+ audit: "/bin/ps -fC $kubeletbin"
+ audit_config: "/bin/cat $kubeletconf"
+ tests:
+ test_items:
+ - flag: --tls-cipher-suites
+ path: '{range .tlsCipherSuites[:]}{}{'',''}{end}'
+ compare:
+ op: valid_elements
+ value: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+ remediation: |
+ If using a Kubelet config file, edit the file to set TLSCipherSuites: to
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+ or to a subset of these values.
+ If using executable arguments, edit the kubelet service file
+ $kubeletsvc on each worker node and
+ set the --tls-cipher-suites parameter as follows, or to a subset of these values.
+ --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+ Based on your system, restart the kubelet service. For example:
+ systemctl daemon-reload
+ systemctl restart kubelet.service
+ scored: false
diff --git a/cfg/cis-1.20/policies.yaml b/cfg/cis-1.20/policies.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0fc178d2f3d86e81e0bcf875cf1f65422fcec8a2
--- /dev/null
+++ b/cfg/cis-1.20/policies.yaml
@@ -0,0 +1,238 @@
+---
+controls:
+version: "cis-1.6"
+id: 5
+text: "Kubernetes Policies"
+type: "policies"
+groups:
+ - id: 5.1
+ text: "RBAC and Service Accounts"
+ checks:
+ - id: 5.1.1
+ text: "Ensure that the cluster-admin role is only used where required (Manual)"
+ type: "manual"
+ remediation: |
+ Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
+ if they need this role or if they could use a role with fewer privileges.
+ Where possible, first bind users to a lower privileged role and then remove the
+ clusterrolebinding to the cluster-admin role :
+ kubectl delete clusterrolebinding [name]
+ scored: false
+
+ - id: 5.1.2
+ text: "Minimize access to secrets (Manual)"
+ type: "manual"
+ remediation: |
+ Where possible, remove get, list and watch access to secret objects in the cluster.
+ scored: false
+
+ - id: 5.1.3
+ text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
+ type: "manual"
+ remediation: |
+ Where possible replace any use of wildcards in clusterroles and roles with specific
+ objects or actions.
+ scored: false
+
+ - id: 5.1.4
+ text: "Minimize access to create pods (Manual)"
+ type: "manual"
+ remediation: |
+ Where possible, remove create access to pod objects in the cluster.
+ scored: false
+
+ - id: 5.1.5
+ text: "Ensure that default service accounts are not actively used. (Manual)"
+ type: "manual"
+ remediation: |
+ Create explicit service accounts wherever a Kubernetes workload requires specific access
+ to the Kubernetes API server.
+ Modify the configuration of each default service account to include this value
+ automountServiceAccountToken: false
+ scored: false
+
+ - id: 5.1.6
+ text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
+ type: "manual"
+ remediation: |
+ Modify the definition of pods and service accounts which do not need to mount service
+ account tokens to disable it.
+ scored: false
+
+ - id: 5.1.7
+ text: "Avoid use of system:masters group (Manual)"
+ type: "manual"
+ remediation: |
+ Remove the system:masters group from all users in the cluster.
+ scored: false
+
+ - id: 5.1.8
+ text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
+ type: "manual"
+ remediation: |
+ Where possible, remove the impersonate, bind and escalate rights from subjects.
+ scored: false
+
+ - id: 5.2
+ text: "Pod Security Policies"
+ checks:
+ - id: 5.2.1
+ text: "Minimize the admission of privileged containers (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that
+ the .spec.privileged field is omitted or set to false.
+ scored: false
+
+ - id: 5.2.2
+ text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostPID field is omitted or set to false.
+ scored: false
+
+ - id: 5.2.3
+ text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostIPC field is omitted or set to false.
+ scored: false
+
+ - id: 5.2.4
+ text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.hostNetwork field is omitted or set to false.
+ scored: false
+
+ - id: 5.2.5
+ text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.allowPrivilegeEscalation field is omitted or set to false.
+ scored: false
+
+ - id: 5.2.6
+ text: "Minimize the admission of root containers (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
+ UIDs not including 0.
+ scored: false
+
+ - id: 5.2.7
+ text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
+ type: "manual"
+ remediation: |
+ Create a PSP as described in the Kubernetes documentation, ensuring that the
+ .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
+ scored: false
+
+ - id: 5.2.8
+ text: "Minimize the admission of containers with added capabilities (Automated)"
+ type: "manual"
+ remediation: |
+ Ensure that allowedCapabilities is not present in PSPs for the cluster unless
+ it is set to an empty array.
+ scored: false
+
+ - id: 5.2.9
+ text: "Minimize the admission of containers with capabilities assigned (Manual)"
+ type: "manual"
+ remediation: |
+ Review the use of capabilites in applications running on your cluster. Where a namespace
+ contains applicaions which do not require any Linux capabities to operate consider adding
+ a PSP which forbids the admission of containers which do not drop all capabilities.
+ scored: false
+
+ - id: 5.3
+ text: "Network Policies and CNI"
+ checks:
+ - id: 5.3.1
+ text: "Ensure that the CNI in use supports Network Policies (Manual)"
+ type: "manual"
+ remediation: |
+ If the CNI plugin in use does not support network policies, consideration should be given to
+ making use of a different plugin, or finding an alternate mechanism for restricting traffic
+ in the Kubernetes cluster.
+ scored: false
+
+ - id: 5.3.2
+ text: "Ensure that all Namespaces have Network Policies defined (Manual)"
+ type: "manual"
+ remediation: |
+ Follow the documentation and create NetworkPolicy objects as you need them.
+ scored: false
+
+ - id: 5.4
+ text: "Secrets Management"
+ checks:
+ - id: 5.4.1
+ text: "Prefer using secrets as files over secrets as environment variables (Manual)"
+ type: "manual"
+ remediation: |
+ if possible, rewrite application code to read secrets from mounted secret files, rather than
+ from environment variables.
+ scored: false
+
+ - id: 5.4.2
+ text: "Consider external secret storage (Manual)"
+ type: "manual"
+ remediation: |
+ Refer to the secrets management options offered by your cloud provider or a third-party
+ secrets management solution.
+ scored: false
+
+ - id: 5.5
+ text: "Extensible Admission Control"
+ checks:
+ - id: 5.5.1
+ text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
+ type: "manual"
+ remediation: |
+ Follow the Kubernetes documentation and setup image provenance.
+ scored: false
+
+ - id: 5.7
+ text: "General Policies"
+ checks:
+ - id: 5.7.1
+ text: "Create administrative boundaries between resources using namespaces (Manual)"
+ type: "manual"
+ remediation: |
+ Follow the documentation and create namespaces for objects in your deployment as you need
+ them.
+ scored: false
+
+ - id: 5.7.2
+ text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
+ type: "manual"
+ remediation: |
+ Use security context to enable the docker/default seccomp profile in your pod definitions.
+ An example is as below:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ scored: false
+
+ - id: 5.7.3
+ text: "Apply Security Context to Your Pods and Containers (Manual)"
+ type: "manual"
+ remediation: |
+ Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers.
+ scored: false
+
+ - id: 5.7.4
+ text: "The default namespace should not be used (Manual)"
+ type: "manual"
+ remediation: |
+ Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
+ resources and that all new resources are created in a specific namespace.
+ scored: false
diff --git a/cfg/config.yaml b/cfg/config.yaml
index ac6a0883680c2852e551bb747b1faa040991f850..2f8db81cf96faa04b41205d301cf197c6f3d4eea 100644
--- a/cfg/config.yaml
+++ b/cfg/config.yaml
@@ -234,7 +234,8 @@ version_mapping:
"1.16": "cis-1.6"
"1.17": "cis-1.6"
"1.18": "cis-1.6"
- "1.19": "cis-1.6"
+ "1.19": "cis-1.20"
+ "1.20": "cis-1.20"
"eks-1.0": "eks-1.0"
"gke-1.0": "gke-1.0"
"ocp-3.10": "rh-0.7"
@@ -256,6 +257,12 @@ target_mapping:
- "controlplane"
- "etcd"
- "policies"
+ "cis-1.20":
+ - "master"
+ - "node"
+ - "controlplane"
+ - "etcd"
+ - "policies"
"gke-1.0":
- "master"
- "node"
diff --git a/cmd/common_test.go b/cmd/common_test.go
index 29e417e7c0ab757e76bb2dd9aa973e6342d43c58..e0f38d049f411b7282b3e7dabdcaefb5e0cb64a9 100644
--- a/cmd/common_test.go
+++ b/cmd/common_test.go
@@ -237,7 +237,9 @@ func TestMapToCISVersion(t *testing.T) {
{kubeVersion: "1.16", succeed: true, exp: "cis-1.6"},
{kubeVersion: "1.17", succeed: true, exp: "cis-1.6"},
{kubeVersion: "1.18", succeed: true, exp: "cis-1.6"},
- {kubeVersion: "1.19", succeed: true, exp: "cis-1.6"},
+ {kubeVersion: "1.19", succeed: true, exp: "cis-1.20"},
+ {kubeVersion: "1.20", succeed: true, exp: "cis-1.20"},
+ {kubeVersion: "1.21", succeed: true, exp: "cis-1.20"},
{kubeVersion: "gke-1.0", succeed: true, exp: "gke-1.0"},
{kubeVersion: "ocp-3.10", succeed: true, exp: "rh-0.7"},
{kubeVersion: "ocp-3.11", succeed: true, exp: "rh-0.7"},
diff --git a/integration/integration_test.go b/integration/integration_test.go
index fb5782269a6b1c86f10d4bb27057ce7334dceae4..a2a2c14f4e08246fb092a97cf7245cf497ca6f2c 100644
--- a/integration/integration_test.go
+++ b/integration/integration_test.go
@@ -80,14 +80,14 @@ func testCheckCISWithKind(t *testing.T, testdataDir string) {
}
}
-func TestCheckCIS15WithKind(t *testing.T) {
- testCheckCISWithKind(t, "cis-1.5")
-}
-
func TestCheckCIS16WithKind(t *testing.T) {
testCheckCISWithKind(t, "cis-1.6")
}
+func TestCheckCIS120WithKind(t *testing.T) {
+ testCheckCISWithKind(t, "cis-1.20")
+}
+
// This is simple "diff" between 2 strings containing multiple lines.
// It's not a comprehensive diff between the 2 strings.
// It does not inditcate when lines are deleted.
diff --git a/integration/testdata/cis-1.5/add-tls-kind.yaml b/integration/testdata/cis-1.20/add-tls-kind.yaml
similarity index 92%
rename from integration/testdata/cis-1.5/add-tls-kind.yaml
rename to integration/testdata/cis-1.20/add-tls-kind.yaml
index ac5db31c4c0dc04c7f0249ef47161bcf3a205915..5b5e2a0a06324529fdf0c1cfdaade6d3ab18c2d2 100644
--- a/integration/testdata/cis-1.5/add-tls-kind.yaml
+++ b/integration/testdata/cis-1.20/add-tls-kind.yaml
@@ -16,4 +16,4 @@ kubeadmConfigPatchesJson6902:
nodes:
# the control plane node config
- role: control-plane
- image: "kindest/node:v1.15.0"
+ image: "kindest/node:v1.20.0"
diff --git a/integration/testdata/cis-1.5/job-master.data b/integration/testdata/cis-1.20/job-master.data
similarity index 58%
rename from integration/testdata/cis-1.5/job-master.data
rename to integration/testdata/cis-1.20/job-master.data
index 39fe5acf0dd286cd87dc9ab22a77763c821a0687..e6932dbd17de272d22b0f69d208543191bc4c217 100644
--- a/integration/testdata/cis-1.5/job-master.data
+++ b/integration/testdata/cis-1.20/job-master.data
@@ -1,73 +1,72 @@
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 Master Node Configuration Files
-[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored)
-[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)
-[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)
-[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
-[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
-[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
-[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
-[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
+[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
+[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)
+[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
+[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
+[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
+[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
+[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
+[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
[INFO] 1.2 API Server
-[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
-[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
-[PASS] 1.2.3 Ensure that the --token-auth-file parameter is not set (Scored)
-[PASS] 1.2.4 Ensure that the --kubelet-https argument is set to true (Scored)
-[PASS] 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
-[FAIL] 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)
-[PASS] 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
-[PASS] 1.2.8 Ensure that the --authorization-mode argument includes Node (Scored)
-[PASS] 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Scored)
-[WARN] 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Not Scored)
-[PASS] 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Scored)
-[WARN] 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)
-[WARN] 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)
-[PASS] 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Scored)
-[PASS] 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Scored)
-[FAIL] 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
-[PASS] 1.2.17 Ensure that the admission control plugin NodeRestriction is set (Scored)
-[PASS] 1.2.18 Ensure that the --insecure-bind-address argument is not set (Scored)
-[PASS] 1.2.19 Ensure that the --insecure-port argument is set to 0 (Scored)
-[PASS] 1.2.20 Ensure that the --secure-port argument is not set to 0 (Scored)
-[FAIL] 1.2.21 Ensure that the --profiling argument is set to false (Scored)
-[FAIL] 1.2.22 Ensure that the --audit-log-path argument is set (Scored)
-[FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
-[FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
-[FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)
-[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored)
-[PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored)
-[PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
-[PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
-[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
-[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
-[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
+[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
+[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
+[PASS] 1.2.3 Ensure that the --kubelet-https argument is set to true (Automated)
+[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
+[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
+[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
+[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
+[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
+[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
+[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
+[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
+[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
+[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
+[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
+[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
+[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
+[PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)
+[PASS] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)
+[PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
+[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
+[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
+[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
+[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
+[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
+[WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)
+[PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)
+[PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
+[PASS] 1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
+[PASS] 1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
+[PASS] 1.2.30 Ensure that the --client-ca-file argument is set as appropriate (Automated)
+[PASS] 1.2.31 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
+[WARN] 1.2.32 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
+[WARN] 1.2.33 Ensure that encryption providers are appropriately configured (Manual)
+[WARN] 1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
[INFO] 1.3 Controller Manager
-[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
-[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
-[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
-[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
-[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
-[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
-[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)
+[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
+[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
+[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
+[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
+[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
+[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
+[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
[INFO] 1.4 Scheduler
-[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Scored)
-[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)
+[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
+[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
== Remediations master ==
1.1.9 Run the below command (based on the file location on your system) on the master node.
@@ -88,73 +87,76 @@ For example, chown etcd:etcd /var/lib/etcd
on the master node and set the below parameter.
--anonymous-auth=false
-1.2.6 Follow the Kubernetes documentation and setup the TLS connection between
+1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
-1.2.10 Follow the Kubernetes documentation and set the desired limits in a configuration file.
+1.2.9 Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
-1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
-1.2.13 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
-1.2.16 Follow the documentation and create Pod Security Policy objects as per your environment.
+1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy:
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
-1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--profiling=false
-1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log
-1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
--audit-log-maxage=30
-1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value.
--audit-log-maxbackup=10
-1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB:
--audit-log-maxsize=100
-1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed.
For example,
--request-timeout=300s
-1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
+1.2.32 Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
-1.2.34 Follow the Kubernetes documentation and configure a EncryptionConfig file.
+1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
-1.2.35 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.34 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
+_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
+_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
+_SHA384
1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
@@ -171,13 +173,13 @@ on the master node and set the below parameter.
== Summary master ==
-44 checks PASS
+43 checks PASS
10 checks FAIL
11 checks WARN
0 checks INFO
== Summary total ==
-44 checks PASS
+43 checks PASS
10 checks FAIL
11 checks WARN
0 checks INFO
diff --git a/integration/testdata/cis-1.5/job-node.data b/integration/testdata/cis-1.20/job-node.data
similarity index 61%
rename from integration/testdata/cis-1.5/job-node.data
rename to integration/testdata/cis-1.20/job-node.data
index 792ef672a34ea708bbfd2b925c372077331ac496..a1b2adb5950a1d12fde4f212f94b63544188a595 100644
--- a/integration/testdata/cis-1.5/job-node.data
+++ b/integration/testdata/cis-1.20/job-node.data
@@ -1,31 +1,35 @@
[INFO] 4 Worker Node Security Configuration
[INFO] 4.1 Worker Node Configuration Files
-[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Scored)
-[PASS] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
-[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
-[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
+[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
+[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
+[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
+[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
+[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
+[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
+[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
+[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)
+[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
[INFO] 4.2 Kubelet
-[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
-[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
-[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
-[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
-[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
-[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
-[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Not Scored)
-[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)
-[FAIL] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)
-[PASS] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
+[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
+[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
+[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
+[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
+[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
+[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
+[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
+[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
+[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
+[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
+[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
+[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
+[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
== Remediations node ==
+4.1.1 Run the below command (based on the file location on your system) on the each worker node.
+For example,
+chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@@ -57,13 +61,13 @@ systemctl restart kubelet.service
== Summary node ==
-20 checks PASS
+19 checks PASS
2 checks FAIL
-1 checks WARN
+2 checks WARN
0 checks INFO
== Summary total ==
-20 checks PASS
+19 checks PASS
2 checks FAIL
-1 checks WARN
+2 checks WARN
0 checks INFO
\ No newline at end of file
diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.20/job.data
similarity index 65%
rename from integration/testdata/cis-1.5/job.data
rename to integration/testdata/cis-1.20/job.data
index 246839b9ed15e1d731f44b0ad21090bc9bbc0f4b..b135904ef81715812f5fab009102a9384d089eae 100644
--- a/integration/testdata/cis-1.5/job.data
+++ b/integration/testdata/cis-1.20/job.data
@@ -1,73 +1,72 @@
[INFO] 1 Master Node Security Configuration
[INFO] 1.1 Master Node Configuration Files
-[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Scored)
-[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored)
-[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)
-[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)
-[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)
-[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)
-[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
-[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
-[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
-[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
+[PASS] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Automated)
+[PASS] 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Automated)
+[WARN] 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)
+[WARN] 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual)
+[PASS] 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)
+[FAIL] 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)
+[PASS] 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated)
+[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)
+[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)
+[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)
[INFO] 1.2 API Server
-[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
-[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
-[PASS] 1.2.3 Ensure that the --token-auth-file parameter is not set (Scored)
-[PASS] 1.2.4 Ensure that the --kubelet-https argument is set to true (Scored)
-[PASS] 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)
-[FAIL] 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)
-[PASS] 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
-[PASS] 1.2.8 Ensure that the --authorization-mode argument includes Node (Scored)
-[PASS] 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Scored)
-[WARN] 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Not Scored)
-[PASS] 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Scored)
-[WARN] 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)
-[WARN] 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)
-[PASS] 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Scored)
-[PASS] 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Scored)
-[FAIL] 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Scored)
-[PASS] 1.2.17 Ensure that the admission control plugin NodeRestriction is set (Scored)
-[PASS] 1.2.18 Ensure that the --insecure-bind-address argument is not set (Scored)
-[PASS] 1.2.19 Ensure that the --insecure-port argument is set to 0 (Scored)
-[PASS] 1.2.20 Ensure that the --secure-port argument is not set to 0 (Scored)
-[FAIL] 1.2.21 Ensure that the --profiling argument is set to false (Scored)
-[FAIL] 1.2.22 Ensure that the --audit-log-path argument is set (Scored)
-[FAIL] 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)
-[FAIL] 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)
-[FAIL] 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)
-[WARN] 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored)
-[PASS] 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored)
-[PASS] 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Scored)
-[PASS] 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)
-[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
-[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
-[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
-[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
+[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Manual)
+[PASS] 1.2.2 Ensure that the --token-auth-file parameter is not set (Automated)
+[PASS] 1.2.3 Ensure that the --kubelet-https argument is set to true (Automated)
+[PASS] 1.2.4 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)
+[FAIL] 1.2.5 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)
+[PASS] 1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
+[PASS] 1.2.7 Ensure that the --authorization-mode argument includes Node (Automated)
+[PASS] 1.2.8 Ensure that the --authorization-mode argument includes RBAC (Automated)
+[WARN] 1.2.9 Ensure that the admission control plugin EventRateLimit is set (Manual)
+[PASS] 1.2.10 Ensure that the admission control plugin AlwaysAdmit is not set (Automated)
+[WARN] 1.2.11 Ensure that the admission control plugin AlwaysPullImages is set (Manual)
+[WARN] 1.2.12 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)
+[PASS] 1.2.13 Ensure that the admission control plugin ServiceAccount is set (Automated)
+[PASS] 1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set (Automated)
+[FAIL] 1.2.15 Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
+[PASS] 1.2.16 Ensure that the admission control plugin NodeRestriction is set (Automated)
+[PASS] 1.2.17 Ensure that the --insecure-bind-address argument is not set (Automated)
+[PASS] 1.2.18 Ensure that the --insecure-port argument is set to 0 (Automated)
+[PASS] 1.2.19 Ensure that the --secure-port argument is not set to 0 (Automated)
+[FAIL] 1.2.20 Ensure that the --profiling argument is set to false (Automated)
+[FAIL] 1.2.21 Ensure that the --audit-log-path argument is set (Automated)
+[FAIL] 1.2.22 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)
+[FAIL] 1.2.23 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)
+[FAIL] 1.2.24 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)
+[WARN] 1.2.25 Ensure that the --request-timeout argument is set as appropriate (Automated)
+[PASS] 1.2.26 Ensure that the --service-account-lookup argument is set to true (Automated)
+[PASS] 1.2.27 Ensure that the --service-account-key-file argument is set as appropriate (Automated)
+[PASS] 1.2.28 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)
+[PASS] 1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)
+[PASS] 1.2.30 Ensure that the --client-ca-file argument is set as appropriate (Automated)
+[PASS] 1.2.31 Ensure that the --etcd-cafile argument is set as appropriate (Automated)
+[WARN] 1.2.32 Ensure that the --encryption-provider-config argument is set as appropriate (Manual)
+[WARN] 1.2.33 Ensure that encryption providers are appropriately configured (Manual)
+[WARN] 1.2.34 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)
[INFO] 1.3 Controller Manager
-[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
-[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
-[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
-[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
-[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Scored)
-[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
-[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)
+[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)
+[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Automated)
+[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated)
+[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)
+[PASS] 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Automated)
+[PASS] 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
+[PASS] 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
[INFO] 1.4 Scheduler
-[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Scored)
-[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored)
+[FAIL] 1.4.1 Ensure that the --profiling argument is set to false (Automated)
+[PASS] 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)
== Remediations master ==
1.1.9 Run the below command (based on the file location on your system) on the master node.
@@ -88,73 +87,76 @@ For example, chown etcd:etcd /var/lib/etcd
on the master node and set the below parameter.
--anonymous-auth=false
-1.2.6 Follow the Kubernetes documentation and setup the TLS connection between
+1.2.5 Follow the Kubernetes documentation and setup the TLS connection between
the apiserver and kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
--kubelet-certificate-authority parameter to the path to the cert file for the certificate authority.
--kubelet-certificate-authority=<ca-string>
-1.2.10 Follow the Kubernetes documentation and set the desired limits in a configuration file.
+1.2.9 Follow the Kubernetes documentation and set the desired limits in a configuration file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameters.
--enable-admission-plugins=...,EventRateLimit,...
--admission-control-config-file=<path/to/configuration/file>
-1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.11 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to include
AlwaysPullImages.
--enable-admission-plugins=...,AlwaysPullImages,...
-1.2.13 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.12 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to include
SecurityContextDeny, unless PodSecurityPolicy is already in place.
--enable-admission-plugins=...,SecurityContextDeny,...
-1.2.16 Follow the documentation and create Pod Security Policy objects as per your environment.
+1.2.15 Follow the documentation and create Pod Security Policy objects as per your environment.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins parameter to a
value that includes PodSecurityPolicy:
--enable-admission-plugins=...,PodSecurityPolicy,...
Then restart the API Server.
-1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.20 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--profiling=false
-1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.21 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-path parameter to a suitable path and
file where you would like audit logs to be written, for example:
--audit-log-path=/var/log/apiserver/audit.log
-1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.22 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxage parameter to 30 or as an appropriate number of days:
--audit-log-maxage=30
-1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.23 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxbackup parameter to 10 or to an appropriate
value.
--audit-log-maxbackup=10
-1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.24 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --audit-log-maxsize parameter to an appropriate size in MB.
For example, to set it as 100 MB:
--audit-log-maxsize=100
-1.2.26 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.25 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
and set the below parameter as appropriate and if needed.
For example,
--request-timeout=300s
-1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
+1.2.32 Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
-1.2.34 Follow the Kubernetes documentation and configure a EncryptionConfig file.
+1.2.33 Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
-1.2.35 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+1.2.34 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
+_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
+_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
+_SHA384
1.3.1 Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
@@ -171,20 +173,20 @@ on the master node and set the below parameter.
== Summary master ==
-44 checks PASS
+43 checks PASS
10 checks FAIL
11 checks WARN
0 checks INFO
[INFO] 2 Etcd Node Configuration
[INFO] 2 Etcd Node Configuration Files
-[PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)
-[PASS] 2.2 Ensure that the --client-cert-auth argument is set to true (Scored)
-[PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Scored)
-[PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)
-[PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Scored)
-[PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Scored)
-[PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Not Scored)
+[PASS] 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)
+[PASS] 2.2 Ensure that the --client-cert-auth argument is set to true (Automated)
+[PASS] 2.3 Ensure that the --auto-tls argument is not set to true (Automated)
+[PASS] 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)
+[PASS] 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated)
+[PASS] 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated)
+[PASS] 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)
== Summary etcd ==
7 checks PASS
@@ -194,10 +196,10 @@ on the master node and set the below parameter.
[INFO] 3 Control Plane Configuration
[INFO] 3.1 Authentication and Authorization
-[WARN] 3.1.1 Client certificate authentication should not be used for users (Not Scored)
+[WARN] 3.1.1 Client certificate authentication should not be used for users (Manual)
[INFO] 3.2 Logging
-[FAIL] 3.2.1 Ensure that a minimal audit policy is created (Scored)
-[WARN] 3.2.2 Ensure that the audit policy covers key security concerns (Not Scored)
+[WARN] 3.2.1 Ensure that a minimal audit policy is created (Manual)
+[WARN] 3.2.2 Ensure that the audit policy covers key security concerns (Manual)
== Remediations controlplane ==
3.1.1 Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
@@ -211,38 +213,42 @@ minimum.
== Summary controlplane ==
0 checks PASS
-1 checks FAIL
-2 checks WARN
+0 checks FAIL
+3 checks WARN
0 checks INFO
[INFO] 4 Worker Node Security Configuration
[INFO] 4.1 Worker Node Configuration Files
-[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Scored)
-[PASS] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
-[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
-[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
-[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
-[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
-[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
+[FAIL] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
+[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
+[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
+[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
+[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
+[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
+[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
+[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Manual)
+[PASS] 4.1.9 Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive (Automated)
+[PASS] 4.1.10 Ensure that the kubelet --config configuration file ownership is set to root:root (Automated)
[INFO] 4.2 Kubelet
-[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
-[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
-[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
-[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
-[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored)
-[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored)
-[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Not Scored)
-[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)
-[FAIL] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
-[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored)
-[PASS] 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
-[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
+[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated)
+[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
+[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Automated)
+[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Manual)
+[PASS] 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)
+[FAIL] 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated)
+[PASS] 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Automated)
+[PASS] 4.2.8 Ensure that the --hostname-override argument is not set (Manual)
+[WARN] 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)
+[WARN] 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)
+[PASS] 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Manual)
+[PASS] 4.2.12 Verify that the RotateKubeletServerCertificate argument is set to true (Manual)
+[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
== Remediations node ==
+4.1.1 Run the below command (based on the file location on your system) on the each worker node.
+For example,
+chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@@ -274,42 +280,44 @@ systemctl restart kubelet.service
== Summary node ==
-20 checks PASS
+19 checks PASS
2 checks FAIL
-1 checks WARN
+2 checks WARN
0 checks INFO
[INFO] 5 Kubernetes Policies
[INFO] 5.1 RBAC and Service Accounts
-[WARN] 5.1.1 Ensure that the cluster-admin role is only used where required (Not Scored)
-[WARN] 5.1.2 Minimize access to secrets (Not Scored)
-[WARN] 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Not Scored)
-[WARN] 5.1.4 Minimize access to create pods (Not Scored)
-[WARN] 5.1.5 Ensure that default service accounts are not actively used. (Scored)
-[WARN] 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Not Scored)
+[WARN] 5.1.1 Ensure that the cluster-admin role is only used where required (Manual)
+[WARN] 5.1.2 Minimize access to secrets (Manual)
+[WARN] 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual)
+[WARN] 5.1.4 Minimize access to create pods (Manual)
+[WARN] 5.1.5 Ensure that default service accounts are not actively used. (Manual)
+[WARN] 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual)
+[WARN] 5.1.7 Avoid use of system:masters group (Manual)
+[WARN] 5.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)
[INFO] 5.2 Pod Security Policies
-[WARN] 5.2.1 Minimize the admission of privileged containers (Not Scored)
-[WARN] 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored)
-[WARN] 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Scored)
-[WARN] 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Scored)
-[WARN] 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Scored)
-[WARN] 5.2.6 Minimize the admission of root containers (Not Scored)
-[WARN] 5.2.7 Minimize the admission of containers with the NET_RAW capability (Not Scored)
-[WARN] 5.2.8 Minimize the admission of containers with added capabilities (Not Scored)
-[WARN] 5.2.9 Minimize the admission of containers with capabilities assigned (Not Scored)
+[WARN] 5.2.1 Minimize the admission of privileged containers (Automated)
+[WARN] 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)
+[WARN] 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Automated)
+[WARN] 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)
+[WARN] 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)
+[WARN] 5.2.6 Minimize the admission of root containers (Automated)
+[WARN] 5.2.7 Minimize the admission of containers with the NET_RAW capability (Automated)
+[WARN] 5.2.8 Minimize the admission of containers with added capabilities (Automated)
+[WARN] 5.2.9 Minimize the admission of containers with capabilities assigned (Manual)
[INFO] 5.3 Network Policies and CNI
-[WARN] 5.3.1 Ensure that the CNI in use supports Network Policies (Not Scored)
-[WARN] 5.3.2 Ensure that all Namespaces have Network Policies defined (Scored)
+[WARN] 5.3.1 Ensure that the CNI in use supports Network Policies (Manual)
+[WARN] 5.3.2 Ensure that all Namespaces have Network Policies defined (Manual)
[INFO] 5.4 Secrets Management
-[WARN] 5.4.1 Prefer using secrets as files over secrets as environment variables (Not Scored)
-[WARN] 5.4.2 Consider external secret storage (Not Scored)
+[WARN] 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual)
+[WARN] 5.4.2 Consider external secret storage (Manual)
[INFO] 5.5 Extensible Admission Control
-[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)
+[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)
[INFO] 5.7 General Policies
-[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Not Scored)
-[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
-[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Not Scored)
-[WARN] 5.7.4 The default namespace should not be used (Scored)
+[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Manual)
+[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)
+[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Manual)
+[WARN] 5.7.4 The default namespace should not be used (Manual)
== Remediations policies ==
5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
@@ -333,6 +341,10 @@ automountServiceAccountToken: false
5.1.6 Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
+5.1.7 Remove the system:masters group from all users in the cluster.
+
+5.1.8 Where possible, remove the impersonate, bind and escalate rights from subjects.
+
5.2.1 Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
@@ -379,26 +391,11 @@ secrets management solution.
5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need
them.
-5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
-would need to enable alpha features in the apiserver by passing "--feature-
-gates=AllAlpha=true" argument.
-Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
-parameter to "--feature-gates=AllAlpha=true"
-KUBE_API_ARGS="--feature-gates=AllAlpha=true"
-Based on your system, restart the kube-apiserver service. For example:
-systemctl restart kube-apiserver.service
-Use annotations to enable the docker/default seccomp profile in your pod definitions. An
-example is as below:
-apiVersion: v1
-kind: Pod
-metadata:
- name: trustworthy-pod
- annotations:
- seccomp.security.alpha.kubernetes.io/pod: docker/default
-spec:
- containers:
- - name: trustworthy-container
- image: sotrustworthy:latest
+5.7.2 Use security context to enable the docker/default seccomp profile in your pod definitions.
+An example is as below:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
@@ -411,11 +408,11 @@ resources and that all new resources are created in a specific namespace.
== Summary policies ==
0 checks PASS
0 checks FAIL
-24 checks WARN
+26 checks WARN
0 checks INFO
== Summary total ==
-71 checks PASS
-13 checks FAIL
-38 checks WARN
+69 checks PASS
+12 checks FAIL
+42 checks WARN
0 checks INFO