From 48e33d33e5fe83e1d775e6a3acea00cba83898c3 Mon Sep 17 00:00:00 2001
From: Murali Paluru <leodotcloud@gmail.com>
Date: Tue, 7 Jan 2020 18:01:07 +0530
Subject: [PATCH] fix mismatching checks, tests (#544)
---
cfg/cis-1.3/master.yaml | 8 +++---
cfg/cis-1.4/master.yaml | 38 ++++++++++++++--------------
integration/testdata/job-master.data | 22 ++++++++--------
integration/testdata/job.data | 22 ++++++++--------
4 files changed, 45 insertions(+), 45 deletions(-)
diff --git a/cfg/cis-1.3/master.yaml b/cfg/cis-1.3/master.yaml
index 8dbbe0f..45f64b4 100644
--- a/cfg/cis-1.3/master.yaml
+++ b/cfg/cis-1.3/master.yaml
@@ -1437,7 +1437,7 @@ groups:
scored: false
- id: 1.7.2
- text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1445,7 +1445,7 @@ groups:
scored: false
- id: 1.7.3
- text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1453,7 +1453,7 @@ groups:
scored: false
- id: 1.7.4
- text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1461,7 +1461,7 @@ groups:
scored: false
- id: 1.7.5
- text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
+ text: "Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual"
remediation: |
[Manual test]
diff --git a/cfg/cis-1.4/master.yaml b/cfg/cis-1.4/master.yaml
index af9f954..c206623 100644
--- a/cfg/cis-1.4/master.yaml
+++ b/cfg/cis-1.4/master.yaml
@@ -497,6 +497,21 @@ groups:
scored: true
- id: 1.1.30
+ text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
+ audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--etcd-cafile"
+ set: true
+ remediation: |
+ Follow the Kubernetes documentation and set up the TLS connection between the
+ apiserver and etcd. Then, edit the API server pod specification file
+ $apiserverconf on the master node and set the etcd
+ certificate authority file parameter.
+ --etcd-cafile=<path/to/ca-file>
+ scored: true
+
+ - id: 1.1.31
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
@@ -512,21 +527,6 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- - id: 1.1.31
- text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
- tests:
- test_items:
- - flag: "--etcd-cafile"
- set: true
- remediation: |
- Follow the Kubernetes documentation and set up the TLS connection between the
- apiserver and etcd. Then, edit the API server pod specification file
- $apiserverconf on the master node and set the etcd
- certificate authority file parameter.
- --etcd-cafile=<path/to/ca-file>
- scored: true
-
- id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
@@ -1501,7 +1501,7 @@ groups:
scored: false
- id: 1.7.2
- text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1509,7 +1509,7 @@ groups:
scored: false
- id: 1.7.3
- text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1517,7 +1517,7 @@ groups:
scored: false
- id: 1.7.4
- text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
+ text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@@ -1525,7 +1525,7 @@ groups:
scored: false
- id: 1.7.5
- text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
+ text: " Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual"
remediation: |
[Manual test]
diff --git a/integration/testdata/job-master.data b/integration/testdata/job-master.data
index 24939bd..94b4742 100644
--- a/integration/testdata/job-master.data
+++ b/integration/testdata/job-master.data
@@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
-[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored)
-[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored)
-[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored)
-[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored)
-[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored)
+[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
+[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
+[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
+[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
-1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-
-1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
+1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
+1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+on the master node and set the below parameter.
+--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a
value that includes Node.
diff --git a/integration/testdata/job.data b/integration/testdata/job.data
index df7eea8..1244a50 100644
--- a/integration/testdata/job.data
+++ b/integration/testdata/job.data
@@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
-[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
-[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
+[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored)
-[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored)
-[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored)
-[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored)
-[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored)
+[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
+[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
+[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
+[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
-1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
-on the master node and set the below parameter.
---tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
-
-1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
+1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
+1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+on the master node and set the below parameter.
+--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
+
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a
value that includes Node.
--
GitLab