diff --git a/cfg/1.11-json/node.yaml b/cfg/1.11-json/node.yaml
index 68d8e2de89515c67664ed06a18c7b79c5d232172..3d1e7812c9ece489fa781b6580f5ba2995d667fe 100644
--- a/cfg/1.11-json/node.yaml
+++ b/cfg/1.11-json/node.yaml
@@ -462,8 +462,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
diff --git a/cfg/1.11/master.yaml b/cfg/1.11/master.yaml
index 9d905ac6768ecbd513cf060a2db2540b55a0ba6b..b5922954d88dd02deec9e5f2cb6ae6c91871053a 100644
--- a/cfg/1.11/master.yaml
+++ b/cfg/1.11/master.yaml
@@ -579,6 +579,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@@ -1001,8 +1002,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@@ -1012,8 +1014,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@@ -1297,6 +1300,7 @@ groups:
- flag: "--trusted-ca-file"
set: true
remediation: |
+ [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@@ -1311,6 +1315,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@@ -1319,6 +1324,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@@ -1327,6 +1333,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@@ -1335,6 +1342,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@@ -1361,6 +1369,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@@ -1370,6 +1379,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@@ -1377,6 +1387,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1393,6 +1404,7 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
@@ -1403,6 +1415,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false
@@ -1410,6 +1423,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false
@@ -1417,6 +1431,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false
@@ -1424,6 +1439,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false
@@ -1431,6 +1447,7 @@ groups:
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
@@ -1438,6 +1455,7 @@ groups:
text: "Do not admit root containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false
@@ -1445,5 +1463,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
diff --git a/cfg/1.11/node.yaml b/cfg/1.11/node.yaml
index 96098d1d3dec9dfb7cb96fb35876ba8a72c4414a..9ddbdaa83fd42f0240a453403de1b621d4e3e080 100644
--- a/cfg/1.11/node.yaml
+++ b/cfg/1.11/node.yaml
@@ -451,8 +451,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
diff --git a/cfg/1.13-json/node.yaml b/cfg/1.13-json/node.yaml
index 3b34190d7a949be13e1a3bc65a3a2f25fb94c4a6..e3d47574eb60d142d231ed51319ef5863a1513dc 100644
--- a/cfg/1.13-json/node.yaml
+++ b/cfg/1.13-json/node.yaml
@@ -231,7 +231,7 @@ groups:
# To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin"
- type: skip
+ type: "skip"
tests:
bin_op: or
test_items:
@@ -444,8 +444,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml
index 46480d9bf47c144d230aa62b5555db02d5bc2a2f..3402aa8a935eec43dfea397309cad274e82f1f39 100644
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@@ -188,7 +188,7 @@ groups:
- id: 1.1.12
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
- type: skip
+ type: "skip"
tests:
test_items:
- flag: "--enable-admission-plugins"
@@ -571,6 +571,7 @@ groups:
- flag: "--encryption-provider-config"
set: true
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf on the
master node and set the --encryption-provider-config parameter
@@ -583,6 +584,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@@ -1003,8 +1005,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@@ -1014,8 +1017,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@@ -1194,6 +1198,7 @@ groups:
value: "root root"
set: true
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
scored: true
@@ -1221,6 +1226,7 @@ groups:
value: "600"
set: true
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true
@@ -1237,6 +1243,7 @@ groups:
value: "600"
set: true
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
@@ -1358,6 +1365,7 @@ groups:
- flag: "--trusted-ca-file"
set: true
remediation: |
+ [Manual test]
Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service.
Then, edit the etcd pod specification file $etcdconf on the
@@ -1372,6 +1380,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@@ -1380,6 +1389,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@@ -1388,6 +1398,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@@ -1396,6 +1407,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@@ -1422,6 +1434,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@@ -1431,6 +1444,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@@ -1438,6 +1452,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1454,6 +1469,7 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
@@ -1464,6 +1480,7 @@ groups:
text: "Do not admit privileged containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.privileged field is omitted or set to false.
scored: false
@@ -1471,6 +1488,7 @@ groups:
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostPID field is omitted or set to false.
scored: false
@@ -1478,6 +1496,7 @@ groups:
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.
scored: false
@@ -1485,6 +1504,7 @@ groups:
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostNetwork field is omitted or set to false.
scored: false
@@ -1492,6 +1512,7 @@ groups:
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.allowPrivilegeEscalation field is omitted or set to false.
scored: false
@@ -1499,6 +1520,7 @@ groups:
text: "Do not admit root containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0.
scored: false
@@ -1506,5 +1528,6 @@ groups:
text: "Do not admit containers with dangerous capabilities (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Create a PSP as described in the Kubernetes documentation, ensuring that the .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml
index cb288e5ce61a55153078853bc0b0c06a43f6f9ce..7939041c42ddfd7755f8d2b482868ccb7d1d0324 100644
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@@ -225,7 +225,7 @@ groups:
- id: 2.1.11
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
audit: "ps -fC $kubeletbin"
- type: skip
+ type: "skip"
tests:
bin_op: or
test_items:
@@ -433,8 +433,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml
index 1db170faedd0e18124ea8e4a6627f4f566573f21..469c41353c07dbf8a2f720976c0f4a1190e05a36 100644
--- a/cfg/1.6/master.yaml
+++ b/cfg/1.6/master.yaml
@@ -909,58 +909,73 @@ groups:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
- remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+ remediation: |
+ [Manual test]
+ Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
- Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
- suggested Pod Security Policies for your environment."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create and enforce Pod Security Policies for your cluster.
+ Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
+ suggested Pod Security Policies for your environment.
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create namespaces for objects in your deployment as you
- need them."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 1.6.5
text: "Avoid using Kubernetes Secrets (Not Scored)"
type: "manual"
- remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
+ remediation: |
+ [Manual test]
+ Use other mechanisms such as vaults to manage your cluster secrets.
scored: false
- id: 1.6.6
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
- remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
- would need to enable alpha features in the apiserver by passing \"--feature-
- gates=AllAlpha=true\" argument.\n
- Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
- parameter to \"--feature-gates=AllAlpha=true\"
- KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+ remediation: |
+ [Manual test]
+ Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+ would need to enable alpha features in the apiserver by passing "--feature-
+ gates=AllAlpha=true" argument.
+ Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+ parameter to "--feature-gates=AllAlpha=true"
+ KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false
- id: 1.6.7
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
- remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
- suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
- Containers."
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers.
scored: false
- id: 1.6.8
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
- remediation: "Follow the Kubernetes documentation and setup image provenance."
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and setup image provenance.
scored: false
diff --git a/cfg/1.7/master.yaml b/cfg/1.7/master.yaml
index fa35e39afb21b809b41b703cd5d792fd584abfdb..950b6b124df13941d83a5056bb8dc27369c6e4d1 100644
--- a/cfg/1.7/master.yaml
+++ b/cfg/1.7/master.yaml
@@ -484,8 +484,10 @@ groups:
text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
- remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
- choose aescbc as the encryption provider"
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
+ choose aescbc as the encryption provider
scored: true
- id: 1.2
@@ -572,9 +574,11 @@ groups:
- id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
- remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
- KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
- \"--feature-gates=RotateKubeletServerCertificate=true\""
+ remediation: |
+ [Manual test]
+ Edit the /etc/kubernetes/controller-manager file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
+ "--feature-gates=RotateKubeletServerCertificate=true"
scored: false
- id: 1.3.7
@@ -971,58 +975,73 @@ groups:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
- remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+ remediation: |
+ [Manual test]
+ Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
- Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
- suggested Pod Security Policies for your environment."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create and enforce Pod Security Policies for your cluster.
+ Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
+ suggested Pod Security Policies for your environment.
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create namespaces for objects in your deployment as you
- need them."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create namespaces for objects in your deployment as you need them.
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
- remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+ remediation: |
+ [Manual test]
+ Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
- remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
- would need to enable alpha features in the apiserver by passing \"--feature-
- gates=AllAlpha=true\" argument.\n
- Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
- parameter to \"--feature-gates=AllAlpha=true\"
- KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+ remediation: |
+ [Manual test]
+ Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+ would need to enable alpha features in the apiserver by passing "--feature-
+ gates=AllAlpha=true" argument.
+ Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+ parameter to "--feature-gates=AllAlpha=true"
+ KUBE_API_ARGS="--feature-gates=AllAlpha=true"
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
- remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
- suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
- Containers."
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers.
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
- remediation: "Follow the Kubernetes documentation and setup image provenance."
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
- remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
+ remediation: |
+ [Manual test]
+ Follow the Kubernetes documentation and setup network policies as appropriate.
scored: false
diff --git a/cfg/1.8/master.yaml b/cfg/1.8/master.yaml
index f52ed9686a70b1a468ffd5e35e0766c4d2dc7db6..d506a75217a8fc5f5f3948a1e3df89831a7e334f 100644
--- a/cfg/1.8/master.yaml
+++ b/cfg/1.8/master.yaml
@@ -559,6 +559,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider.
For example,
@@ -597,6 +598,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
and set the below parameters.
@@ -608,6 +610,7 @@ groups:
audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
+ [Manual test]
Edit the API server pod specification file $apiserverconf
and set the below parameter as appropriate and if needed. For example,
--request-timeout=300s
@@ -713,6 +716,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@@ -922,8 +926,9 @@ groups:
text: "Ensure that the Container Network Interface file permissions are
set to 644 or more restrictive (Not Scored)"
audit: "stat -c %a <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chmod 644 <path/to/cni/files>
@@ -933,8 +938,9 @@ groups:
text: "Ensure that the Container Network Interface file ownership is set
to root:root (Not Scored)"
audit: "stat -c %U:%G <path/to/cni/files>"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the below command (based on the file location on your system) on the master node.
For example,
chown root:root <path/to/cni/files>
@@ -1263,6 +1269,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Remove any unneeded clusterrolebindings :
kubectl delete clusterrolebinding [name]
scored: false
@@ -1271,6 +1278,7 @@ groups:
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the "CIS Security Benchmark for Docker" and follow the
suggested Pod Security Policies for your environment.
@@ -1280,6 +1288,7 @@ groups:
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create namespaces for objects in your deployment as you
need them.
scored: false
@@ -1288,6 +1297,7 @@ groups:
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false
@@ -1296,6 +1306,7 @@ groups:
definitions (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
@@ -1322,6 +1333,7 @@ groups:
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
@@ -1331,6 +1343,7 @@ groups:
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup image provenance.
scored: false
@@ -1338,6 +1351,7 @@ groups:
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow the Kubernetes documentation and setup network policies as appropriate.
For example, you could create a "default" isolation policy for a Namespace by creating a
NetworkPolicy that selects all pods but does not allow any traffic:
@@ -1354,5 +1368,6 @@ groups:
privileged containers usage (Not Scored)"
type: "manual"
remediation: |
+ [Manual test]
Follow Kubernetes documentation and setup PSP and RBAC authorization for your cluster.
scored: false
diff --git a/cfg/1.8/node.yaml b/cfg/1.8/node.yaml
index 7740d72dae96c916dd49aa4a32508d0014cb378a..3dd01be9377ce2de1ef921c2e6c66ba208626812 100644
--- a/cfg/1.8/node.yaml
+++ b/cfg/1.8/node.yaml
@@ -423,8 +423,9 @@ groups:
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
scored: true
diff --git a/cfg/ocp-3.10/master.yaml b/cfg/ocp-3.10/master.yaml
index ed35fcdb922d12522f1503645df7699f793d0707..a67ccb69b6591b10d490c35b99838ec49b16da4b 100644
--- a/cfg/ocp-3.10/master.yaml
+++ b/cfg/ocp-3.10/master.yaml
@@ -410,7 +410,7 @@ groups:
- id: 1.23
text: "Verify that the service account lookup flag is not set"
- type: skip
+ type: "skip"
scored: true
- id: 1.24
@@ -675,8 +675,9 @@ groups:
- id: 1.37
text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true
@@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required"
type: "manual"
remediation: |
+ [Manual test]
Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin
@@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use"
type: "manual"
remediation: |
+ [Manual test]
Review Security Context Constraints:
oc get scc
@@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual"
remediation: |
+ [Manual test]
Review projects:
oc get projects
scored: false
@@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual"
remediation: |
+ [Manual test]
Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml
@@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual"
remediation: |
+ [Manual test]
Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints"
type: "manual"
remediation: |
+ [Manual test]
Review SCCs:
oc describe scc
@@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual"
remediation: |
+ [Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false
@@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate"
type: "manual"
remediation: |
+ [Manual test]
If ovs-networkplugin is used, review network policies:
oc get networkpolicies
@@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual"
remediation: |
+ [Manual test]
1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers:
diff --git a/cfg/ocp-3.11/master.yaml b/cfg/ocp-3.11/master.yaml
index ed35fcdb922d12522f1503645df7699f793d0707..a67ccb69b6591b10d490c35b99838ec49b16da4b 100644
--- a/cfg/ocp-3.11/master.yaml
+++ b/cfg/ocp-3.11/master.yaml
@@ -410,7 +410,7 @@ groups:
- id: 1.23
text: "Verify that the service account lookup flag is not set"
- type: skip
+ type: "skip"
scored: true
- id: 1.24
@@ -675,8 +675,9 @@ groups:
- id: 1.37
text: "Adjust the request timeout argument for your cluster resources"
audit: "grep request-timeout /etc/origin/master/master-config.yaml"
- type: manual
+ type: "manual"
remediation: |
+ [Manual test]
change the request-timeout value in the  /etc/origin/master/master-config.yaml
scored: true
@@ -1313,6 +1314,7 @@ groups:
text: "Ensure that the cluster-admin role is only used where required"
type: "manual"
remediation: |
+ [Manual test]
Review users, groups, serviceaccounts bound to cluster-admin:
oc get clusterrolebindings | grep cluster-admin
@@ -1324,6 +1326,7 @@ groups:
text: "Verify Security Context Constraints as in use"
type: "manual"
remediation: |
+ [Manual test]
Review Security Context Constraints:
oc get scc
@@ -1341,6 +1344,7 @@ groups:
text: "Use OpenShift projects to maintain boundaries between resources"
type: "manual"
remediation: |
+ [Manual test]
Review projects:
oc get projects
scored: false
@@ -1349,6 +1353,7 @@ groups:
text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
type: "manual"
remediation: |
+ [Manual test]
Verify on masters the plugin being used:
grep networkPluginName /etc/origin/master/master-config.yaml
@@ -1372,6 +1377,7 @@ groups:
text: "Enable seccomp and configure custom Security Context Constraints"
type: "manual"
remediation: |
+ [Manual test]
Verify SCCs that have been configured with seccomp:
oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
@@ -1386,6 +1392,7 @@ groups:
text: "Review Security Context Constraints"
type: "manual"
remediation: |
+ [Manual test]
Review SCCs:
oc describe scc
@@ -1410,6 +1417,7 @@ groups:
text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
type: "manual"
remediation: |
+ [Manual test]
Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
scored: false
@@ -1417,6 +1425,7 @@ groups:
text: "Configure Network policies as appropriate"
type: "manual"
remediation: |
+ [Manual test]
If ovs-networkplugin is used, review network policies:
oc get networkpolicies
@@ -1429,6 +1438,7 @@ groups:
text: "Use Security Context Constraints as compensating controls for privileged containers"
type: "manual"
remediation: |
+ [Manual test]
1) Determine all sccs allowing privileged containers:
oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
2) Review users and groups assigned to sccs allowing priviliged containers: