diff --git a/cfg/ocp-3.10/master.yaml b/cfg/ocp-3.10/master.yaml
index 3cb07bfe0d40da43531f3a10c099ec7d861a28d6..ed35fcdb922d12522f1503645df7699f793d0707 100644
--- a/cfg/ocp-3.10/master.yaml
+++ b/cfg/ocp-3.10/master.yaml
@@ -1,1500 +1,1454 @@
----
-controls:
-version: 1.6
-id: 1
-text: "Master Node Security Configuration"
-type: "master"
-groups:
-- id: 1.1
- text: "API Server"
- checks:
- - id: 1.1.1
- text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.2
- text: "Ensure that the --basic-auth-file argument is not set (Scored)"
- audit: "grep -A2 basic-auth-file /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "--basic-auth-file"
- compare:
- op: eq
- value: ""
- set: false
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml and
- remove the basic-auth-file entry.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â Â basic-auth-file:
- Â Â - /path/to/any/file
- scored: true
-
- - id: 1.1.3
- text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.4
- text: "Ensure that the --kubelet-https argument is set to true (Scored)"
- audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml"
- tests:
- bin_op: and
- test_items:
- - flag: "kubeletClientInfo:"
- compare:
- op: eq
- value: "kubeletClientInfo:"
- set: true
- - flag: "ca: ca-bundle.crt"
- compare:
- op: has
- value: "ca-bundle.crt"
- set: true
- - flag: "certFile: master.kubelet-client.crt"
- compare:
- op: has
- value: "master.kubelet-client.crt"
- set: true
- - flag: "keyFile: master.kubelet-client.key"
- compare:
- op: has
- value: "master.kubelet-client.key"
- set: true
- - flag: "port: 10250"
- compare:
- op: eq
- value: "port: 10250"
- set: true
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and change it to match the below.
-
- kubeletClientInfo:
- Â ca: ca-bundle.crt
- Â certFile: master.kubelet-client.crt
- Â keyFile: master.kubelet-client.key
- Â port: 10250
- scored: true
-
- - id: 1.1.5
- text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
- audit: "grep -A2 insecure-bind-address /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "insecure-bind-address"
- set: false
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and remove the insecure-bind-address entry.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â Â insecure-bind-address:
- Â Â - 127.0.0.1
- scored: true
-
- - id: 1.1.6
- text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
- audit: "grep -A2 insecure-port /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "insecure-port"
- set: false
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and remove the insecure-port entry.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â insecure-port:
- Â - 0
- scored: true
-
- - id: 1.1.7
- text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
- audit: "grep -A2 secure-port /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "secure-port"
- set: false
- - flag: "secure-port"
- compare:
- op: nothave
- value: "0"
- set: true
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and either remove the secure-port parameter or set it to a different (non-zero)
- desired port.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â secure-port:
- Â - 8443
- scored: true
-
- - id: 1.1.8
- text: "Ensure that the --profiling argument is set to false (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.9
- text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
- audit: "grep -A2 repair-malformed-updates /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "repair-malformed-updates"
- set: false
- - flag: "repair-malformed-updates"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and remove the repair-malformed-updates entry or set repair-malformed-updates=true.
- scored: true
-
- - id: 1.1.10
- text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
- audit: "grep -A4 AlwaysAdmit /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "AlwaysAdmit"
- set: false
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and remove the the entry below.
-
- AlwaysAdmit:
- configuration:
- kind: DefaultAdmissionConfig
- apiVersion: v1
- disable: false
- scored: true
-
- - id: 1.1.11
- text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)"
- audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "disable: false"
- compare:
- op: has
- value: "false"
- set: true
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and add the the entry below.
-
- admissionConfig:
- pluginConfig:
- AlwaysPullImages:
- configuration:
- kind: DefaultAdmissionConfig
- apiVersion: v1
- disable: false
- scored: true
-
- - id: 1.1.12
- text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.13
- text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.14
- text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
- audit: "grep -A4 NamespaceLifecycle /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "NamespaceLifecycle"
- set: false
- remediation: |
- Edit the kubernetes master config file /etc/origin/master/master-config.yaml
- and remove the following entry.
-
- NamespaceLifecycle:
- configuration:
- kind: DefaultAdmissionConfig
- apiVersion: v1
- disable: true
- scored: true
-
- - id: 1.1.15
- text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
- audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "enabled: true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server.
-
- auditConfig:
- auditFilePath: "/var/log/audit-ocp.log"
- enabled: true
- maximumFileRetentionDays: 10
- maximumFileSizeMegabytes: 100
- maximumRetainedFiles: 10
-
- Make the same changes in the inventory/ansible variables so the changes are not
- lost when an upgrade occurs.
- scored: true
-
- - id: 1.1.16
- text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
- audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "maximumFileRetentionDays: 10"
- compare:
- op: has
- value: "maximumFileRetentionDays"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml,
- update the maximumFileRetentionDays entry and restart the API server.
-
- auditConfig:
- auditFilePath: "/var/log/audit-ocp.log"
- enabled: true
- maximumFileRetentionDays: 10
- maximumFileSizeMegabytes: 100
- maximumRetainedFiles: 10
-
- Make the same changes in the inventory/ansible variables so the changes are not
- lost when an upgrade occurs.
- scored: true
-
- - id: 1.1.17
- text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
- audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "maximumRetainedFiles: 10"
- compare:
- op: has
- value: "maximumRetainedFiles"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry,
- set enabled to true and restart the API server.
-
- auditConfig:
- auditFilePath: "/var/log/audit-ocp.log"
- enabled: true
- maximumFileRetentionDays: 10
- maximumFileSizeMegabytes: 100
- maximumRetainedFiles: 10
-
- Make the same changes in the inventory/ansible variables so the changes are not
- lost when an upgrade occurs.
- scored: true
-
- - id: 1.1.18
- text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
- audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "maximumFileSizeMegabytes: 100"
- compare:
- op: has
- value: "maximumFileSizeMegabytes"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry,
- set enabled to true and restart the API server.
-
- auditConfig:
- auditFilePath: "/var/log/audit-ocp.log"
- enabled: true
- maximumFileRetentionDays: 10
- maximumFileSizeMegabytes: 100
- maximumRetainedFiles: 10
-
- Make the same changes in the inventory/ansible variables so the changes are not
- lost when an upgrade occurs.
- scored: true
-
- - id: 1.1.19
- text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "grep -A1 authorization-mode /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "authorization-mode"
- set: false
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode
- entry.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â Â authorization-mode:
- Â Â - AllowAll
- scored: true
-
- - id: 1.1.20
- text: "Ensure that the --token-auth-file parameter is not set (Scored)"
- audit: "grep token-auth-file /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "token-auth-file"
- set: false
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file
- entry under apiserverArguments section.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â Â token-auth-file:
- Â Â - /path/to/file
- scored: true
-
- - id: 1.1.21
- text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
- audit: "grep -A1 kubelet-certificate-authority /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "kubelet-certificate-authority"
- set: false
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following
- configuration under apiserverArguments section.
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- Â Â kubelet-certificat-authority:
- Â Â - /path/to/ca
- scored: true
-
- - id: 1.1.22
- text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
- audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml"
- tests:
- bin_op: and
- test_items:
- - flag: "keyFile: master.kubelet-client.key"
- compare:
- op: has
- value: "keyFile: master.kubelet-client.key"
- set: true
- - flag: "certFile: master.kubelet-client.crt"
- compare:
- op: has
- value: "certFile: master.kubelet-client.crt"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
- configuration under kubeletClientInfo
-
- kubeletClientInfo:
- Â ca: ca-bundle.crt
- Â certFile: master.kubelet-client.crt
- Â keyFile: master.kubelet-client.key
- port: 10250
- scored: true
-
- - id: 1.1.23
- text: "Ensure that the --service-account-lookup argument is set to true"
- type: skip
- scored: true
-
- - id: 1.1.24
- text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.25
- text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
- audit: "grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml"
- tests:
- bin_op: and
- test_items:
- - flag: "privateKeyFile: serviceaccounts.private.key"
- compare:
- op: has
- value: "privateKeyFile: serviceaccounts.private.key"
- set: true
- - flag: "serviceaccounts.public.key"
- compare:
- op: has
- value: "serviceaccounts.public.key"
- set: true
- remediation: |
- OpenShift API server does not use the service-account-key-file argument.
- Even if value is set in master-config.yaml, it will not be used to verify
- service account tokens, as it is in upstream Kubernetes. The ServiceAccount
- token authenticator is configured with serviceAccountConfig.publicKeyFiles in
- the master-config.yaml. OpenShift does not reuse the apiserver TLS key.
-
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile
- and publicKeyFile configuration under serviceAccountConfig.
-
- serviceAccountConfig:
- Â limitSecretReferences: false
- Â managedNames:
- - default
- Â - builder
- Â - deployer
- Â masterCA: ca-bundle.crt
- Â Â privateKeyFile: serviceaccounts.private.key
- Â publicKeyFiles:
- Â - serviceaccounts.public.key
-
- Verify that privateKeyFile and publicKeyFile exist and set.
- scored: true
-
- - id: 1.1.26
- text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
- audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
- tests:
- bin_op: and
- test_items:
- - flag: "certFile: master.etcd-client.crt"
- compare:
- op: has
- value: "certFile: master.etcd-client.crt"
- set: true
- - flag: "keyFile: master.etcd-client.key"
- compare:
- op: has
- value: "keyFile: master.etcd-client.key"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
- under etcdClientInfo like below.
-
- etcdClientInfo:
- Â ca: master.etcd-ca.crt
- certFile: master.etcd-client.crt
- keyFile: master.etcd-client.key
- scored: true
-
- - id: 1.1.27
- text: "Ensure that the admission control plugin ServiceAccount is set (Scored)"
- audit: "grep -A4 ServiceAccount /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "ServiceAccount"
- set: false
- - flag: "disable: false"
- compare:
- op: has
- value: "disable: false"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
- admission control policy.
-
- ServiceAccount:
- configuration:
- kind: DefaultAdmissionConfig
- apiVersion: v1
- disable: false
- scored: true
-
- - id: 1.1.28
- text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml"
- tests:
- bin_op: and
- test_items:
- - flag: "certFile: master.server.crt"
- compare:
- op: has
- value: "certFile: master.server.crt"
- set: true
- - flag: "keyFile: master.server.key"
- compare:
- op: has
- value: "keyFile: master.server.key"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
-
- servingInfo:
- Â bindAddress: 0.0.0.0:8443
- Â bindNetwork: tcp4
- certFile: master.server.crt
- clientCA: ca.crt
- keyFile: master.server.key
- maxRequestsInFlight: 500
- requestTimeoutSeconds: 3600
- scored: true
-
- - id: 1.1.29
- text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "clientCA: ca.crt"
- compare:
- op: has
- value: "clientCA: ca.crt"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo.
-
- servingInfo:
- Â bindAddress: 0.0.0.0:8443
- Â bindNetwork: tcp4
- certFile: master.server.crt
- clientCA: ca.crt
- keyFile: master.server.key
- maxRequestsInFlight: 500
- requestTimeoutSeconds: 3600
- scored: true
-
- - id: 1.1.30
- text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "ca: master.etcd-ca.crt"
- compare:
- op: has
- value: "ca: master.etcd-ca.crt"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
-
- etcdClientInfo:
- Â Â ca: master.etcd-ca.crt
- certFile: master.etcd-client.crt
- keyFile: master.etcd-client.key
- scored: true
-
- - id: 1.1.31
- text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.1.32
- text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
- audit: "grep -A4 NodeRestriction /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "NodeRestriction"
- set: false
- - flag: "disable: false"
- compare:
- op: has
- value: "disable: false"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
-
- NodeRestriction:
- configuration:
- kind: DefaultAdmissionConfig
- apiVersion: v1
- disable: false
- scored: true
-
- - id: 1.1.33
- text: "Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
- audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "experimental-encryption-provider-config:"
- compare:
- op: has
- value: "experimental-encryption-provider-config:"
- set: true
- remediation: |
- Follow the instructions in the documentation to configure encryption.
- https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html
- scored: true
-
- - id: 1.1.34
- text: "Ensure that the encryption provider is set to aescbc (Scored)"
- audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs grep -A1 providers"
- tests:
- test_items:
- - flag: "aescbc:"
- compare:
- op: has
- value: "aescbc:"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
- See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
- scored: true
-
- - id: 1.1.35
- text: "Ensure that the admission control policy is set to EventRateLimit (Scored)"
- audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "disable: false"
- compare:
- op: has
- value: "disable: false"
- set: true
- remediation: |
- Follow the documentation to enable the EventRateLimit plugin.
- https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules
- scored: true
-
- - id: 1.1.36
- text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
- audit: "grep AdvancedAuditing /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "AdvancedAuditing"
- compare:
- op: eq
- value: "true"
- set: true
- - flag: "AdvancedAuditing"
- set: false
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing,
-
- kubernetesMasterConfig:
- Â apiServerArguments:
- feature-gates:
- - AdvancedAuditing=true
- scored: true
-
- # Review 1.1.37 in Aquasec shared doc, the tests are net zero.
- - id: 1.1.37
- text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
- audit: "grep request-timeout /etc/origin/master/master-config.yaml"
- type: manual
- remediation: |
- change the request-timeout value in the  /etc/origin/master/master-config.yaml
- scored: true
-
-
-- id: 1.2
- text: "Scheduler"
- checks:
- - id: 1.2.1
- text: "Ensure that the --profiling argument is set to false (Scored)"
- type: "skip"
- scored: true
-
-
-- id: 1.3
- text: "Controller Manager"
- checks:
- - id: 1.3.1
- text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
- audit: "grep terminated-pod-gc-threshold -A1 /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold.
-
- kubernetesMasterConfig:
- Â controllerArguments:
- Â Â Â terminated-pod-gc-threshold:
- Â Â - true
-
- Enabling the "terminated-pod-gc-threshold" settings is optional.
- scored: true
-
- - id: 1.3.2
- text: "Ensure that the --profiling argument is set to false (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.3.3
- text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)"
- audit: "grep -A2 use-service-account-credentials /etc/origin/master/master-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "use-service-account-credentials"
- set: false
- - flag: "true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials
- to true under controllerArguments section.
-
- kubernetesMasterConfig:
- Â controllerArguments:
- Â Â Â use-service-account-credentials:
- Â Â - true
- scored: true
-
- # Review 1.3.4
- - id: 1.3.4
- text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
- audit: |
- grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile;
- grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml
- tests:
- bin_op: and
- test_items:
- - flag: "privateKeyFile: serviceaccounts.private.key"
- compare:
- op: has
- value: "privateKeyFile"
- - flag: "service-account-private-key-file"
- set: false
- remediation:
- Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file
- scored: true
-
- # Review 1.3.5
- - id: 1.3.5
- text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
- audit: "/bin/sh -c 'grep root-ca-file /etc/origin/master/master-config.yaml; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml'"
- tests:
- bin_op: and
- test_items:
- - flag: "root-ca-file=/etc/origin/master/ca-bundle.crt"
- compare:
- op: has
- value: "/etc/origin/master/ca-bundle.crt"
- set: true
- test_items:
- - flag: "masterCA: ca-bundle.crt"
- compare:
- op: has
- value: "ca-bundle.crt"
- set: true
- remediation:
- Reset to OpenShift defaults OpenShift starts kube-controller-manager with
- root-ca-file=/etc/origin/master/ca-bundle.crt by default. Â OpenShift Advanced
- Installation creates this certificate authority and configuration without any
- configuration required.
-
- https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html"
- scored: true
-
- - id: 1.3.6
- text: "Apply Security Context to Your Pods and Containers (Not Scored)"
- type: "skip"
- scored: false
-
- - id: 1.3.7
- text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
- audit: "grep -B3 RotateKubeletServerCertificate=true /etc/origin/master/master-config.yaml"
- tests:
- test_items:
- - flag: "RotateKubeletServerCertificate"
- compare:
- op: eq
- value: "true"
- set: true
- remediation:
- If you decide not to enable the RotateKubeletServerCertificate feature,
- be sure to use the Ansible playbooks provided with the OpenShift installer to
- automate re-deploying certificates.
- scored: true
-
-
-- id: 1.4
- text: "Configuration Files"
- checks:
- - id: 1.4.1
- text: "Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/node/pods/apiserver.yaml
- scored: true
-
- - id: 1.4.2
- text: "Ensure that the API server pod specification file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/node/pods/apiserver.yaml
- scored: true
-
- - id: 1.4.3
- text: "Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chmod 644 /etc/origin/node/pods/controllermanager.yaml
- scored: true
-
- - id: 1.4.4
- text: "Ensure that the controller manager pod specification file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/node/pods/controllermanager.yaml
- scored: true
-
- - id: 1.4.5
- text: "Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/node/pods/apiserver.yaml
- scored: true
-
- - id: 1.4.6
- text: "Ensure that the scheduler pod specification file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/node/pods/apiserver.yaml
- scored: true
-
- - id: 1.4.7
- text: "Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/pods/etcd.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/node/pods/etcd.yaml
- scored: true
-
- - id: 1.4.8
- text: "Ensure that the etcd pod specification file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/pods/etcd.yaml"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/node/pods/etcd.yaml
- scored: true
-
- - id: 1.4.9
- text: "Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/openvswitch/"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/openvswitch/
- scored: true
-
- - id: 1.4.10
- text: "Ensure that the Container Network Interface file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/openvswitch/"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/openvswitch/
- scored: true
-
- - id: 1.4.11
- text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive(Scored)"
- audit: "stat -c %a /var/lib/etcd"
- tests:
- test_items:
- - flag: "700"
- compare:
- op: eq
- value: "700"
- set: true
- remediation: |
- On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
- from the below command:
- ps -ef | grep etcd
- Run the below command (based on the etcd data directory found above). For example,
- chmod 700 /var/lib/etcd
- scored: true
-
- - id: 1.4.12
- text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
- audit: "stat -c %U:%G /var/lib/etcd"
- tests:
- test_items:
- - flag: "etcd:etcd"
- compare:
- op: eq
- value: "etcd:etcd"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown etcd:etcd /var/lib/etcd
- scored: true
-
- - id: 1.4.13
- text: "Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/master/admin.kubeconfig"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/master/admin.kubeconfig"
- scored: true
-
- - id: 1.4.14
- text: "Ensure that the admin.conf file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/master/admin.kubeconfig"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/master/admin.kubeconfig
- scored: true
-
- - id: 1.4.15
- text: "Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/master/openshift-master.kubeconfig
- scored: true
-
- - id: 1.4.16
- text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/master/openshift-master.kubeconfig
- scored: true
-
- - id: 1.4.17
- text: "Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command.
-
- chmod 644 /etc/origin/master/openshift-master.kubeconfig
- scored: true
-
- - id: 1.4.18
- text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: "root:root"
- set: true
- remediation: |
- Run the below command on the master node.
-
- chown root:root /etc/origin/master/openshift-master.kubeconfig
- scored: true
-
-
-- id: 1.5
- text: "Etcd"
- checks:
- - id: 1.5.1
- text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
- audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CERT_FILE=/etc/etcd/server.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep etcd_key_file=/etc/etcd/server.key /proc/1/environ; grep ETCD_CERT_FILE=/etc/etcd/server.crt /etc/etcd/etcd.conf; grep ETCD_KEY_FILE=/etc/etcd/server.key /etc/etcd/etcd.conf'"
- tests:
- bin_op: and
- test_items:
- - flag: "Binary file /proc/1/environ matches"
- compare:
- op: has
- value: "Binary file /proc/1/environ matches"
- set: true
- - flag: "ETCD_CERT_FILE=/etc/etcd/server.crt"
- compare:
- op: has
- value: "ETCD_CERT_FILE=/etc/etcd/server.crt"
- set: true
- - flag: "ETCD_KEY_FILE=/etc/etcd/server.key"
- compare:
- op: has
- value: "ETCD_KEY_FILE=/etc/etcd/server.key"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.2
- text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
- audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'"
- tests:
- bin_op: and
- test_items:
- - flag: "Binary file /proc/1/environ matches"
- compare:
- op: has
- value: "Binary file /proc/1/environ matches"
- set: true
- - flag: "ETCD_CLIENT_CERT_AUTH=true"
- compare:
- op: has
- value: "ETCD_CLIENT_CERT_AUTH=true"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.3
- text: "Ensure that the --auto-tls argument is not set to true (Scored)"
- audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_AUTO_TLS /proc/1/environ; grep ETCD_AUTO_TLS /etc/etcd/etcd.conf'"
- tests:
- bin_op: or
- test_items:
- - flag: "ETCD_AUTO_TLS=false"
- compare:
- op: has
- value: "ETCD_AUTO_TLS=false"
- set: true
- - flag: "#ETCD_AUTO_TLS"
- compare:
- op: has
- value: "#ETCD_AUTO_TLS"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.4
- text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
- audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'"
- tests:
- bin_op: and
- test_items:
- - flag: "Binary file /proc/1/environ matches"
- compare:
- op: has
- value: "Binary file /proc/1/environ matches"
- set: true
- - flag: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt"
- compare:
- op: has
- value: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt"
- set: true
- - flag: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
- compare:
- op: has
- value: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.5
- text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
- audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_PEER_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'"
- tests:
- bin_op: and
- test_items:
- - flag: "Binary file /proc/1/environ matches"
- compare:
- op: has
- value: "Binary file /proc/1/environ matches"
- set: true
- - flag: "ETCD_PEER_CLIENT_CERT_AUTH=true"
- compare:
- op: has
- value: "ETCD_PEER_CLIENT_CERT_AUTH=true"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.6
- text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
- audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'"
- tests:
- bin_op: and
- test_items:
- - flag: "Binary file /proc/1/environ matches"
- compare:
- op: has
- value: "Binary file /proc/1/environ matches"
- set: true
- - flag: "#ETCD_PEER_AUTO_TLS=false"
- compare:
- op: has
- value: "#ETCD_PEER_AUTO_TLS=false"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: true
-
- - id: 1.5.7
- text: "Ensure that the --wal-dir argument is set as appropriate Scored)"
- type: "skip"
- scored: true
-
- - id: 1.5.8
- text: "Ensure that the --max-wals argument is set to 0 (Scored)"
- type: "skip"
- scored: true
-
- - id: 1.5.9
- text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
- audit: "openssl x509 -in /etc/origin/master/master.etcd-ca.crt -subject -issuer -noout | sed 's/@/ /'"
- tests:
- test_items:
- - flag: "issuer= /CN=etcd-signer"
- compare:
- op: has
- value: "issuer= /CN=etcd-signer"
- set: true
- remediation: |
- Reset to the OpenShift default configuration.
- scored: false
-
-
-- id: 1.6
- text: "General Security Primitives"
- checks:
- - id: 1.6.1
- text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
- type: "manual"
- remediation: |
- Review users, groups, serviceaccounts bound to cluster-admin:
- oc get clusterrolebindings | grep cluster-admin
-
- Review users and groups bound to cluster-admin and decide whether they require
- such access. Consider creating least-privilege roles for users and service accounts
- scored: false
-
- - id: 1.6.2
- text: "Create Pod Security Policies for your cluster (Not Scored)"
- type: "manual"
- remediation: |
- Review Security Context Constraints:
- oc get scc
-
- Use OpenShift's Security Context Constraint feature, which has been contributed
- to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
- OpenShift ships with two SCCs: restricted and privileged.
-
- The two default SCCs will be created when the master is started. The restricted
- SCC is granted to all authenticated users by default.
-
- https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html"
- scored: false
-
- - id: 1.6.3
- text: "Create administrative boundaries between resources using namespaces (Not Scored)"
- type: "manual"
- remediation: |
- Review projects:
- oc get projects
- scored: false
-
- - id: 1.6.4
- text: "Create network segmentation using Network Policies (Not Scored)"
- type: "manual"
- remediation: |
- Verify on masters the plugin being used:
- grep networkPluginName /etc/origin/master/master-config.yaml
-
- OpenShift provides multi-tenant networking isolation (using Open vSwich and
- vXLAN), to segregate network traffic between containers belonging to different
- tenants (users or applications) while running on a shared cluster. Red Hat also
- works with 3rd-party SDN vendors to provide the same level of capabilities
- integrated with OpenShift. OpenShift SDN is included a part of OpenShift
- subscription.
-
- OpenShift supports Kubernetes NetworkPolicy. Administrator must configure
- NetworkPolicies if desired.
-
- https://docs.openshift.com/container-platform/3.10/architecture/networking/sdn.html#architecture-additional-concepts-sdn
-
- Ansible Inventory variable: os_sdn_network_plugin_name:
- https://docs.openshift.com/container-platform/3.10/install/configuring_inventory_file.html
- scored: false
-
- - id: 1.6.5
- text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
- type: "manual"
- remediation: |
- Verify SCCs that have been configured with seccomp:
- oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
-
- OpenShift does not enable seccomp by default. To configure seccomp profiles that
- are applied to pods run by the SCC, follow the instructions in the
- documentation:
-
- https://docs.openshift.com/container-platform/3.9/admin_guide/seccomp.html#admin-guide-seccomp
- scored: false
-
- - id: 1.6.6
- text: "Apply Security Context to Your Pods and Containers (Not Scored)"
- type: "manual"
- remediation: |
- Review SCCs:
- oc describe scc
-
- Use OpenShift's Security Context Constraint feature, which has been contributed
- to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
-
- OpenShift ships with two SCCs: restricted and privileged. The two default SCCs
- will be created when the master is started. The restricted SCC is granted to
- all authenticated users by default.
-
- All pods are run under the restricted SCC by default. Running a pod under any
- other SCC requires an account with cluster admin capabilities to grant access
- for the service account.
-
- SecurityContextConstraints limit what securityContext is applied to pods and
- containers.
-
- https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html
- scored: false
-
- - id: 1.6.7
- text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
- type: "manual"
- remediation: |
- Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
- scored: false
-
- - id: 1.6.8
- text: "Configure Network policies as appropriate (Not Scored)"
- type: "manual"
- remediation: |
- If ovs-networkplugin is used, review network policies:
- oc get networkpolicies
-
- OpenShift supports Kubernetes NetworkPolicy via ovs-networkpolicy plugin.
- If choosing ovs-multitenant plugin, each namespace is isolated in its own
- netnamespace by default.
- scored: false
-
- - id: 1.6.9
- text: "Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)"
- type: "manual"
- remediation: |
- 1) Determine all sccs allowing privileged containers:
- oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
- 2) Review users and groups assigned to sccs allowing priviliged containers:
- oc describe sccs <from (1)>
-
- Use OpenShift's Security Context Constraint feature, which has been contributed
- to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
-
- OpenShift ships with two SCCs: restricted and privileged. The two default SCCs
- will be created when the master is started. The restricted SCC is granted to all
- authenticated users by default.
-
- Similar scenarios are documented in the SCC
- documentation, which outlines granting SCC access to specific serviceaccounts.
- Administrators may create least-restrictive SCCs based on individual container
- needs.
-
- For example, if a container only requires running as the root user, the anyuid
- SCC can be used, which will not expose additional access granted by running
- privileged containers.
-
- https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html
- scored: false
+---
+controls:
+version: 3.10
+id: 1
+text: "Securing the OpenShift Master"
+type: "master"
+groups:
+
+- id: 1
+ text: "Protecting the API Server"
+ checks:
+ - id: 1.1
+ text: "Maintain default behavior for anonymous access"
+ type: "skip"
+ scored: true
+
+ - id: 1.2
+ text: "Verify that the basic-auth-file method is not enabled"
+ audit: "grep -A2 basic-auth-file /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "--basic-auth-file"
+ compare:
+ op: eq
+ value: ""
+ set: false
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml and
+ remove the basic-auth-file entry.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â Â basic-auth-file:
+ Â Â - /path/to/any/file
+ scored: true
+
+ - id: 1.3
+ text: "Insecure Tokens"
+ type: "skip"
+ scored: true
+
+ - id: 1.4
+ text: "Secure communications between the API server and master nodes"
+ audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "kubeletClientInfo:"
+ compare:
+ op: eq
+ value: "kubeletClientInfo:"
+ set: true
+ - flag: "ca: ca-bundle.crt"
+ compare:
+ op: has
+ value: "ca-bundle.crt"
+ set: true
+ - flag: "certFile: master.kubelet-client.crt"
+ compare:
+ op: has
+ value: "master.kubelet-client.crt"
+ set: true
+ - flag: "keyFile: master.kubelet-client.key"
+ compare:
+ op: has
+ value: "master.kubelet-client.key"
+ set: true
+ - flag: "port: 10250"
+ compare:
+ op: eq
+ value: "port: 10250"
+ set: true
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and change it to match the below.
+
+ kubeletClientInfo:
+ Â ca: ca-bundle.crt
+ Â certFile: master.kubelet-client.crt
+ Â keyFile: master.kubelet-client.key
+ Â port: 10250
+ scored: true
+
+ - id: 1.5
+ text: "Prevent insecure bindings"
+ audit: "grep -A2 insecure-bind-address /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "insecure-bind-address"
+ set: false
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and remove the insecure-bind-address entry.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â Â insecure-bind-address:
+ Â Â - 127.0.0.1
+ scored: true
+
+ - id: 1.6
+ text: "Prevent insecure port access"
+ audit: "grep -A2 insecure-port /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "insecure-port"
+ set: false
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and remove the insecure-port entry.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â insecure-port:
+ Â - 0
+ scored: true
+
+ - id: 1.7
+ text: "Use Secure Ports for API Server Traffic"
+ audit: "grep -A2 secure-port /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "secure-port"
+ set: false
+ - flag: "secure-port"
+ compare:
+ op: nothave
+ value: "0"
+ set: true
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and either remove the secure-port parameter or set it to a different (non-zero)
+ desired port.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â secure-port:
+ Â - 8443
+ scored: true
+
+ - id: 1.8
+ text: "Do not expose API server profiling data"
+ type: "skip"
+ scored: true
+
+ - id: 1.9
+ text: "Verify repair-malformed-updates argument for API compatibility"
+ audit: "grep -A2 repair-malformed-updates /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "repair-malformed-updates"
+ set: false
+ - flag: "repair-malformed-updates"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and remove the repair-malformed-updates entry or set repair-malformed-updates=true.
+ scored: true
+
+ - id: 1.10
+ text: "Verify that the AlwaysAdmit admission controller is disabled"
+ audit: "grep -A4 AlwaysAdmit /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "AlwaysAdmit"
+ set: false
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and remove the the entry below.
+
+ AlwaysAdmit:
+ configuration:
+ kind: DefaultAdmissionConfig
+ apiVersion: v1
+ disable: false
+ scored: true
+
+ - id: 1.11
+ text: "Manage the AlwaysPullImages admission controller"
+ audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "disable: false"
+ compare:
+ op: has
+ value: "false"
+ set: true
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and add the the entry below.
+
+ admissionConfig:
+ pluginConfig:
+ AlwaysPullImages:
+ configuration:
+ kind: DefaultAdmissionConfig
+ apiVersion: v1
+ disable: false
+ scored: true
+
+ - id: 1.12
+ text: "Use Security Context Constraints instead of DenyEscalatingExec admission"
+ type: "skip"
+ scored: true
+
+ - id: 1.13
+ text: "Use Security Context Constraints instead of the SecurityContextDeny admission controller"
+ type: "skip"
+ scored: true
+
+ - id: 1.14
+ text: "Manage the NamespaceLifecycle admission controller"
+ audit: "grep -A4 NamespaceLifecycle /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "NamespaceLifecycle"
+ set: false
+ remediation: |
+ Edit the kubernetes master config file /etc/origin/master/master-config.yaml
+ and remove the following entry.
+
+ NamespaceLifecycle:
+ configuration:
+ kind: DefaultAdmissionConfig
+ apiVersion: v1
+ disable: true
+ scored: true
+
+ - id: 1.15
+ text: "Configure API server auditing - audit log file path"
+ audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "enabled: true"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server.
+
+ auditConfig:
+ auditFilePath: ""/etc/origin/master/audit-ocp.log""
+ enabled: true
+ maximumFileRetentionDays: 30
+ maximumFileSizeMegabytes: 10
+ maximumRetainedFiles: 10
+
+ Make the same changes in the inventory/ansible variables so the changes are not
+ lost when an upgrade occurs.
+ scored: true
+
+ - id: 1.16
+ text: "Configure API server auditing - audit log retention"
+ audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "maximumFileRetentionDays: 30"
+ compare:
+ op: has
+ value: "maximumFileRetentionDays"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml,
+ update the maximumFileRetentionDays entry and restart the API server.
+
+ auditConfig:
+ auditFilePath: ""/etc/origin/master/audit-ocp.log""
+ enabled: true
+ maximumFileRetentionDays: 30
+ maximumFileSizeMegabytes: 10
+ maximumRetainedFiles: 10
+
+ Make the same changes in the inventory/ansible variables so the changes are not
+ lost when an upgrade occurs.
+ scored: true
+
+ - id: 1.17
+ text: "Configure API server auditing - audit log backup retention"
+ audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "maximumRetainedFiles: 10"
+ compare:
+ op: has
+ value: "maximumRetainedFiles"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry,
+ set enabled to true and restart the API server.
+
+ auditConfig:
+ auditFilePath: ""/etc/origin/master/audit-ocp.log""
+ enabled: true
+ maximumFileRetentionDays: 30
+ maximumFileSizeMegabytes: 10
+ maximumRetainedFiles: 10
+
+ Make the same changes in the inventory/ansible variables so the changes are not
+ lost when an upgrade occurs.
+ scored: true
+
+ - id: 1.18
+ text: "Configure audit log file size"
+ audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "maximumFileSizeMegabytes: 30"
+ compare:
+ op: has
+ value: "maximumFileSizeMegabytes"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry,
+ set enabled to true and restart the API server.
+
+ auditConfig:
+ auditFilePath: ""/etc/origin/master/audit-ocp.log""
+ enabled: true
+ maximumFileRetentionDays: 30
+ maximumFileSizeMegabytes: 10
+ maximumRetainedFiles: 10
+
+ Make the same changes in the inventory/ansible variables so the changes are not
+ lost when an upgrade occurs.
+ scored: true
+
+ - id: 1.19
+ text: "Verify that authorization-mode is not set to AlwaysAllow"
+ audit: "grep -A1 authorization-mode /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "authorization-mode"
+ set: false
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode
+ entry.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â Â authorization-mode:
+ Â Â - AllowAll
+ scored: true
+
+ - id: 1.20
+ text: "Verify that the token-auth-file flag is not set"
+ audit: "grep token-auth-file /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "token-auth-file"
+ set: false
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file
+ entry under apiserverArguments section.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â Â token-auth-file:
+ Â Â - /path/to/file
+ scored: true
+
+ - id: 1.21
+ text: "Verify the API server certificate authority"
+ audit: "grep -A1 kubelet-certificate-authority /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "kubelet-certificate-authority"
+ set: false
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following
+ configuration under apiserverArguments section.
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ Â Â kubelet-certificat-authority:
+ Â Â - /path/to/ca
+ scored: true
+
+ - id: 1.22
+ text: "Verify the API server client certificate and client key"
+ audit: "grep -A4 kubeletClientInfo /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "keyFile: master.kubelet-client.key"
+ compare:
+ op: has
+ value: "keyFile: master.kubelet-client.key"
+ set: true
+ - flag: "certFile: master.kubelet-client.crt"
+ compare:
+ op: has
+ value: "certFile: master.kubelet-client.crt"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
+ configuration under kubeletClientInfo
+
+ kubeletClientInfo:
+ Â ca: ca-bundle.crt
+ Â certFile: master.kubelet-client.crt
+ Â keyFile: master.kubelet-client.key
+ port: 10250
+ scored: true
+
+ - id: 1.23
+ text: "Verify that the service account lookup flag is not set"
+ type: skip
+ scored: true
+
+ - id: 1.24
+ text: "Verify the PodSecurityPolicy is disabled to ensure use of SecurityContextConstraints"
+ type: "skip"
+ scored: true
+
+ - id: 1.25
+ text: "Verify that the service account key file argument is not set"
+ audit: "grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "privateKeyFile: serviceaccounts.private.key"
+ compare:
+ op: has
+ value: "privateKeyFile: serviceaccounts.private.key"
+ set: true
+ - flag: "serviceaccounts.public.key"
+ compare:
+ op: has
+ value: "serviceaccounts.public.key"
+ set: true
+ remediation: |
+ OpenShift API server does not use the service-account-key-file argument.
+ Even if value is set in master-config.yaml, it will not be used to verify
+ service account tokens, as it is in upstream Kubernetes. The ServiceAccount
+ token authenticator is configured with serviceAccountConfig.publicKeyFiles in
+ the master-config.yaml. OpenShift does not reuse the apiserver TLS key.
+
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile
+ and publicKeyFile configuration under serviceAccountConfig.
+
+ serviceAccountConfig:
+ Â limitSecretReferences: false
+ Â managedNames:
+ - default
+ Â - builder
+ Â - deployer
+ Â masterCA: ca-bundle.crt
+ Â Â privateKeyFile: serviceaccounts.private.key
+ Â publicKeyFiles:
+ Â - serviceaccounts.public.key
+
+ Verify that privateKeyFile and publicKeyFile exist and set.
+ scored: true
+
+ - id: 1.26
+ text: "Verify the certificate and key used for communication with etcd"
+ audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "certFile: master.etcd-client.crt"
+ compare:
+ op: has
+ value: "certFile: master.etcd-client.crt"
+ set: true
+ - flag: "keyFile: master.etcd-client.key"
+ compare:
+ op: has
+ value: "keyFile: master.etcd-client.key"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
+ under etcdClientInfo like below.
+
+ etcdClientInfo:
+ Â ca: master.etcd-ca.crt
+ certFile: master.etcd-client.crt
+ keyFile: master.etcd-client.key
+ scored: true
+
+ - id: 1.27
+ text: "Verify that the ServiceAccount admission controller is enabled"
+ audit: "grep -A4 ServiceAccount /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "ServiceAccount"
+ set: false
+ - flag: "disable: false"
+ compare:
+ op: has
+ value: "disable: false"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
+ admission control policy.
+
+ ServiceAccount:
+ configuration:
+ kind: DefaultAdmissionConfig
+ apiVersion: v1
+ disable: false
+ scored: true
+
+ - id: 1.28
+ text: "Verify the certificate and key used to encrypt API server traffic"
+ audit: "grep -A7 servingInfo /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "certFile: master.server.crt"
+ compare:
+ op: has
+ value: "certFile: master.server.crt"
+ set: true
+ - flag: "keyFile: master.server.key"
+ compare:
+ op: has
+ value: "keyFile: master.server.key"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
+
+ servingInfo:
+ Â bindAddress: 0.0.0.0:8443
+ Â bindNetwork: tcp4
+ certFile: master.server.crt
+ clientCA: ca.crt
+ keyFile: master.server.key
+ maxRequestsInFlight: 500
+ requestTimeoutSeconds: 3600
+ scored: true
+
+ - id: 1.29
+ text: "Verify that the --client-ca-file argument is not set"
+ audit: "grep client-ca-file /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "clientCA: ca.crt"
+ set: false
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo.
+
+ servingInfo:
+ Â bindAddress: 0.0.0.0:8443
+ Â bindNetwork: tcp4
+ certFile: master.server.crt
+ clientCA: ca.crt
+ keyFile: master.server.key
+ maxRequestsInFlight: 500
+ requestTimeoutSeconds: 3600
+ scored: true
+
+ - id: 1.30
+ text: "Verify the CA used for communication with etcd"
+ audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "ca: master.etcd-ca.crt"
+ compare:
+ op: has
+ value: "ca: master.etcd-ca.crt"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
+
+ etcdClientInfo:
+ Â Â ca: master.etcd-ca.crt
+ certFile: master.etcd-client.crt
+ keyFile: master.etcd-client.key
+ scored: true
+
+ - id: 1.31
+ text: "Verify that the authorization-mode argument is not set"
+ type: "skip"
+ scored: true
+
+ - id: 1.32
+ text: "Verify that the NodeRestriction admission controller is enabled"
+ audit: "grep -A4 NodeRestriction /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "NodeRestriction"
+ set: false
+ - flag: "disable: false"
+ compare:
+ op: has
+ value: "disable: false"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
+
+ NodeRestriction:
+ configuration:
+ kind: DefaultAdmissionConfig
+ apiVersion: v1
+ disable: false
+ scored: true
+
+ - id: 1.33
+ text: "Configure encryption of data at rest in etcd datastore"
+ audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "experimental-encryption-provider-config:"
+ compare:
+ op: has
+ value: "experimental-encryption-provider-config:"
+ set: true
+ remediation: |
+ Follow the instructions in the documentation to configure encryption.
+ https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html
+ scored: true
+
+ - id: 1.34
+ text: "Set the encryption provider to aescbc for etcd data at rest"
+ audit: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs grep -A1 providers"
+ tests:
+ test_items:
+ - flag: "aescbc:"
+ compare:
+ op: has
+ value: "aescbc:"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config.
+ See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html.
+ scored: true
+
+ - id: 1.35
+ text: "Enable the EventRateLimit plugin"
+ audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "disable: false"
+ compare:
+ op: has
+ value: "disable: false"
+ set: true
+ remediation: |
+ Follow the documentation to enable the EventRateLimit plugin.
+ https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules
+ scored: true
+
+ - id: 1.36
+ text: "Configure advanced auditing"
+ audit: "grep AdvancedAuditing /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "AdvancedAuditing"
+ compare:
+ op: eq
+ value: "true"
+ set: true
+ - flag: "AdvancedAuditing"
+ set: false
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing,
+
+ kubernetesMasterConfig:
+ Â apiServerArguments:
+ feature-gates:
+ - AdvancedAuditing=true
+ scored: true
+
+ # Review 1.1.37 in Aquasec shared doc, the tests are net zero.
+ - id: 1.37
+ text: "Adjust the request timeout argument for your cluster resources"
+ audit: "grep request-timeout /etc/origin/master/master-config.yaml"
+ type: manual
+ remediation: |
+ change the request-timeout value in the  /etc/origin/master/master-config.yaml
+ scored: true
+
+
+- id: 2
+ text: "Scheduler"
+ checks:
+ - id: 2.1
+ text: "Verify that Scheduler profiling is not exposed to the web"
+ type: "skip"
+ scored: true
+
+
+- id: 3
+ text: "Controller Manager"
+ checks:
+ - id: 3.1
+ text: "Adjust the terminated-pod-gc-threshold argument as needed"
+ audit: "grep terminated-pod-gc-threshold -A1 /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "terminated-pod-gc-threshold:"
+ compare:
+ op: has
+ value: "12500"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold.
+
+ kubernetesMasterConfig:
+ Â controllerArguments:
+ Â Â Â terminated-pod-gc-threshold:
+ Â Â - true
+
+ Enabling the "terminated-pod-gc-threshold" settings is optional.
+ scored: true
+
+ - id: 3.2
+ text: "Verify that Controller profiling is not exposed to the web"
+ type: "skip"
+ scored: true
+
+ - id: 3.3
+ text: "Verify that the --use-service-account-credentials argument is set to true"
+ audit: "grep -A2 use-service-account-credentials /etc/origin/master/master-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "use-service-account-credentials"
+ set: false
+ - flag: "true"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials
+ to true under controllerArguments section.
+
+ kubernetesMasterConfig:
+ Â controllerArguments:
+ Â Â Â use-service-account-credentials:
+ Â Â - true
+ scored: true
+
+ # Review 3.4
+ - id: 3.4
+ text: "Verify that the --service-account-private-key-file argument is set as appropriate"
+ audit: |
+ grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile;
+ grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "privateKeyFile: serviceaccounts.private.key"
+ compare:
+ op: has
+ value: "privateKeyFile"
+ - flag: "service-account-private-key-file"
+ set: false
+ remediation:
+ Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file
+ scored: true
+
+ # Review 3.5
+ - id: 3.5
+ text: "Verify that the --root-ca-file argument is set as appropriate"
+ audit: "/bin/sh -c 'grep root-ca-file /etc/origin/master/master-config.yaml; grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "root-ca-file=/etc/origin/master/ca-bundle.crt"
+ compare:
+ op: has
+ value: "/etc/origin/master/ca-bundle.crt"
+ set: true
+ test_items:
+ - flag: "masterCA: ca-bundle.crt"
+ compare:
+ op: has
+ value: "ca-bundle.crt"
+ set: true
+ remediation:
+ Reset to OpenShift defaults OpenShift starts kube-controller-manager with
+ root-ca-file=/etc/origin/master/ca-bundle.crt by default. Â OpenShift Advanced
+ Installation creates this certificate authority and configuration without any
+ configuration required.
+
+ https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html"
+ scored: true
+
+ - id: 3.6
+ text: "Verify that Security Context Constraints are applied to Your Pods and Containers"
+ type: "skip"
+ scored: false
+
+ - id: 3.7
+ text: "Manage certificate rotation"
+ audit: "grep -B3 RotateKubeletServerCertificate=true /etc/origin/master/master-config.yaml"
+ tests:
+ test_items:
+ - flag: "RotateKubeletServerCertificate"
+ compare:
+ op: eq
+ value: "true"
+ set: true
+ remediation:
+ If you decide not to enable the RotateKubeletServerCertificate feature,
+ be sure to use the Ansible playbooks provided with the OpenShift installer to
+ automate re-deploying certificates.
+ scored: true
+
+
+- id: 4
+ text: "Configuration Files"
+ checks:
+ - id: 4.1
+ text: "Verify the OpenShift default permissions for the API server pod specification file"
+ audit: "stat -c %a /etc/origin/node/pods/apiserver.yaml"
+ tests:
+ test_items:
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 600 /etc/origin/node/pods/apiserver.yaml
+ scored: true
+
+ - id: 4.2
+ text: "Verify the OpenShift default file ownership for the API server pod specification file"
+ audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/node/pods/apiserver.yaml
+ scored: true
+
+ - id: 4.3
+ text: "Verify the OpenShift default file permissions for the controller manager pod specification file"
+ audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
+ tests:
+ test_items:
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chmod 600 /etc/origin/node/pods/controller.yaml
+ scored: true
+
+ - id: 4.4
+ text: "Verify the OpenShift default ownership for the controller manager pod specification file"
+ audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/node/pods/controller.yaml
+ scored: true
+
+ - id: 4.5
+ text: "Verify the OpenShift default permissions for the scheduler pod specification file"
+ audit: "stat -c %a /etc/origin/node/pods/controller.yaml"
+ tests:
+ test_items:
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 600 stat -c %a /etc/origin/node/pods/controller.yaml
+ scored: true
+
+ - id: 4.6
+ text: "Verify the scheduler pod specification file ownership set by OpenShift"
+ audit: "stat -c %u:%g /etc/origin/node/pods/controller.yaml"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/node/pods/controller.yaml
+ scored: true
+
+ - id: 4.7
+ text: "Verify the OpenShift default etcd pod specification file permissions"
+ audit: "stat -c %a /etc/origin/node/pods/etcd.yaml"
+ tests:
+ test_items:
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 600 /etc/origin/node/pods/etcd.yaml
+ scored: true
+
+ - id: 4.8
+ text: "Verify the OpenShift default etcd pod specification file ownership"
+ audit: "stat -c %U:%G /etc/origin/node/pods/etcd.yaml"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/node/pods/etcd.yaml
+ scored: true
+
+ - id: 4.9
+ text: "Verify the default OpenShift Container Network Interface file permissions"
+ audit: "stat -c %a /etc/origin/openvswitch/ /etc/cni/net.d/"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 644 -R /etc/origin/openvswitch/ /etc/cni/net.d/
+ scored: true
+
+ - id: 4.10
+ text: "Verify the default OpenShift Container Network Interface file ownership"
+ audit: "stat -c %U:%G /etc/origin/openvswitch/ /etc/cni/net.d/"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/openvswitch/ /etc/cni/net.d/
+ scored: true
+
+ - id: 4.11
+ text: "Verify the default OpenShift etcd data directory permissions"
+ audit: "stat -c %a /var/lib/etcd"
+ tests:
+ test_items:
+ - flag: "700"
+ compare:
+ op: eq
+ value: "700"
+ set: true
+ remediation: |
+ On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
+ from the below command:
+ ps -ef | grep etcd
+ Run the below command (based on the etcd data directory found above). For example,
+ chmod 700 /var/lib/etcd
+ scored: true
+
+ - id: 4.12
+ text: "Verify the default OpenShift etcd data directory ownership"
+ audit: "stat -c %U:%G /var/lib/etcd"
+ tests:
+ test_items:
+ - flag: "etcd:etcd"
+ compare:
+ op: eq
+ value: "etcd:etcd"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown etcd:etcd /var/lib/etcd
+ scored: true
+
+ - id: 4.13
+ text: "Verify the default OpenShift admin.conf file permissions"
+ audit: "stat -c %a /etc/origin/master/admin.kubeconfig"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 644 /etc/origin/master/admin.kubeconfig"
+ scored: true
+
+ - id: 4.14
+ text: "Verify the default OpenShift admin.conf file ownership"
+ audit: "stat -c %U:%G /etc/origin/master/admin.kubeconfig"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/master/admin.kubeconfig
+ scored: true
+
+ - id: 4.15
+ text: "Verify the default OpenShift scheduler.conf file permissions"
+ audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 644 /etc/origin/master/openshift-master.kubeconfig
+ scored: true
+
+ - id: 4.16
+ text: "Verify the default OpenShift scheduler.conf file ownership"
+ audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/master/openshift-master.kubeconfig
+ scored: true
+
+ - id: 4.17
+ text: "Verify the default Openshift controller-manager.conf file permissions"
+ audit: "stat -c %a /etc/origin/master/openshift-master.kubeconfig"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command.
+
+ chmod 644 /etc/origin/master/openshift-master.kubeconfig
+ scored: true
+
+ - id: 4.18
+ text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
+ audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: |
+ Run the below command on the master node.
+
+ chown root:root /etc/origin/master/openshift-master.kubeconfig
+ scored: true
+
+
+- id: 5
+ text: "Etcd"
+ checks:
+ - id: 5.1
+ text: "Verify the default OpenShift cert-file and key-file configuration"
+ audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CERT_FILE=/etc/etcd/server.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep etcd_key_file=/etc/etcd/server.key /proc/1/environ; grep ETCD_CERT_FILE=/etc/etcd/server.crt /etc/etcd/etcd.conf; grep ETCD_KEY_FILE=/etc/etcd/server.key /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "Binary file /proc/1/environ matches"
+ compare:
+ op: has
+ value: "Binary file /proc/1/environ matches"
+ set: true
+ - flag: "ETCD_CERT_FILE=/etc/etcd/server.crt"
+ compare:
+ op: has
+ value: "ETCD_CERT_FILE=/etc/etcd/server.crt"
+ set: true
+ - flag: "ETCD_KEY_FILE=/etc/etcd/server.key"
+ compare:
+ op: has
+ value: "ETCD_KEY_FILE=/etc/etcd/server.key"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.2
+ text: "Verify the default OpenShift setting for the client-cert-auth argument"
+ audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "Binary file /proc/1/environ matches"
+ compare:
+ op: has
+ value: "Binary file /proc/1/environ matches"
+ set: true
+ - flag: "ETCD_CLIENT_CERT_AUTH=true"
+ compare:
+ op: has
+ value: "ETCD_CLIENT_CERT_AUTH=true"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.3
+ text: "Verify the OpenShift default values for etcd_auto_tls"
+ audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_AUTO_TLS /proc/1/environ; grep ETCD_AUTO_TLS /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "ETCD_AUTO_TLS=false"
+ compare:
+ op: has
+ value: "ETCD_AUTO_TLS=false"
+ set: true
+ - flag: "#ETCD_AUTO_TLS"
+ compare:
+ op: has
+ value: "#ETCD_AUTO_TLS"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.4
+ text: "Verify the OpenShift default peer-cert-file and peer-key-file arguments for etcd"
+ audit: "/bin/sh -c'/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "Binary file /proc/1/environ matches"
+ compare:
+ op: has
+ value: "Binary file /proc/1/environ matches"
+ set: true
+ - flag: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt"
+ compare:
+ op: has
+ value: "ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt"
+ set: true
+ - flag: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
+ compare:
+ op: has
+ value: "ETCD_PEER_KEY_FILE=/etc/etcd/peer.key"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.5
+ text: "Verify the OpenShift default configuration for the peer-client-cert-auth"
+ audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_PEER_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "Binary file /proc/1/environ matches"
+ compare:
+ op: has
+ value: "Binary file /proc/1/environ matches"
+ set: true
+ - flag: "ETCD_PEER_CLIENT_CERT_AUTH=true"
+ compare:
+ op: has
+ value: "ETCD_PEER_CLIENT_CERT_AUTH=true"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.6
+ text: "Verify the OpenShift default configuration for the peer-auto-tls argument"
+ audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "Binary file /proc/1/environ matches"
+ compare:
+ op: has
+ value: "Binary file /proc/1/environ matches"
+ set: true
+ - flag: "#ETCD_PEER_AUTO_TLS=false"
+ compare:
+ op: has
+ value: "#ETCD_PEER_AUTO_TLS=false"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: true
+
+ - id: 5.7
+ text: "Optionally modify the wal-dir argument"
+ type: "skip"
+ scored: true
+
+ - id: 5.8
+ text: "Optionally modify the max-wals argument"
+ type: "skip"
+ scored: true
+
+ - id: 5.9
+ text: "Verify the OpenShift default configuration for the etcd Certificate Authority"
+ audit: "openssl x509 -in /etc/origin/master/master.etcd-ca.crt -subject -issuer -noout | sed 's/@/ /'"
+ tests:
+ test_items:
+ - flag: "issuer= /CN=etcd-signer"
+ compare:
+ op: has
+ value: "issuer= /CN=etcd-signer"
+ set: true
+ remediation: |
+ Reset to the OpenShift default configuration.
+ scored: false
+
+
+- id: 6
+ text: "General Security Primitives"
+ checks:
+ - id: 6.1
+ text: "Ensure that the cluster-admin role is only used where required"
+ type: "manual"
+ remediation: |
+ Review users, groups, serviceaccounts bound to cluster-admin:
+ oc get clusterrolebindings | grep cluster-admin
+
+ Review users and groups bound to cluster-admin and decide whether they require
+ such access. Consider creating least-privilege roles for users and service accounts
+ scored: false
+
+ - id: 6.2
+ text: "Verify Security Context Constraints as in use"
+ type: "manual"
+ remediation: |
+ Review Security Context Constraints:
+ oc get scc
+
+ Use OpenShift's Security Context Constraint feature, which has been contributed
+ to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
+ OpenShift ships with two SCCs: restricted and privileged.
+
+ The two default SCCs will be created when the master is started. The restricted
+ SCC is granted to all authenticated users by default.
+
+ https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html"
+ scored: false
+
+ - id: 6.3
+ text: "Use OpenShift projects to maintain boundaries between resources"
+ type: "manual"
+ remediation: |
+ Review projects:
+ oc get projects
+ scored: false
+
+ - id: 6.4
+ text: "Create network segmentation using the Multi-tenant plugin or Network Policies"
+ type: "manual"
+ remediation: |
+ Verify on masters the plugin being used:
+ grep networkPluginName /etc/origin/master/master-config.yaml
+
+ OpenShift provides multi-tenant networking isolation (using Open vSwich and
+ vXLAN), to segregate network traffic between containers belonging to different
+ tenants (users or applications) while running on a shared cluster. Red Hat also
+ works with 3rd-party SDN vendors to provide the same level of capabilities
+ integrated with OpenShift. OpenShift SDN is included a part of OpenShift
+ subscription.
+
+ OpenShift supports Kubernetes NetworkPolicy. Administrator must configure
+ NetworkPolicies if desired.
+
+ https://docs.openshift.com/container-platform/3.10/architecture/networking/sdn.html#architecture-additional-concepts-sdn
+
+ Ansible Inventory variable: os_sdn_network_plugin_name:
+ https://docs.openshift.com/container-platform/3.10/install/configuring_inventory_file.html
+ scored: false
+
+ - id: 6.5
+ text: "Enable seccomp and configure custom Security Context Constraints"
+ type: "manual"
+ remediation: |
+ Verify SCCs that have been configured with seccomp:
+ oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles
+
+ OpenShift does not enable seccomp by default. To configure seccomp profiles that
+ are applied to pods run by the SCC, follow the instructions in the
+ documentation:
+
+ https://docs.openshift.com/container-platform/3.9/admin_guide/seccomp.html#admin-guide-seccomp
+ scored: false
+
+ - id: 6.6
+ text: "Review Security Context Constraints"
+ type: "manual"
+ remediation: |
+ Review SCCs:
+ oc describe scc
+
+ Use OpenShift's Security Context Constraint feature, which has been contributed
+ to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
+
+ OpenShift ships with two SCCs: restricted and privileged. The two default SCCs
+ will be created when the master is started. The restricted SCC is granted to
+ all authenticated users by default.
+
+ All pods are run under the restricted SCC by default. Running a pod under any
+ other SCC requires an account with cluster admin capabilities to grant access
+ for the service account.
+
+ SecurityContextConstraints limit what securityContext is applied to pods and
+ containers.
+
+ https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html
+ scored: false
+
+ - id: 6.7
+ text: "Manage Image Provenance using ImagePolicyWebhook admission controller"
+ type: "manual"
+ remediation: |
+ Review imagePolicyConfig in /etc/origin/master/master-config.yaml.
+ scored: false
+
+ - id: 6.8
+ text: "Configure Network policies as appropriate"
+ type: "manual"
+ remediation: |
+ If ovs-networkplugin is used, review network policies:
+ oc get networkpolicies
+
+ OpenShift supports Kubernetes NetworkPolicy via ovs-networkpolicy plugin.
+ If choosing ovs-multitenant plugin, each namespace is isolated in its own
+ netnamespace by default.
+ scored: false
+
+ - id: 6.9
+ text: "Use Security Context Constraints as compensating controls for privileged containers"
+ type: "manual"
+ remediation: |
+ 1) Determine all sccs allowing privileged containers:
+ oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer
+ 2) Review users and groups assigned to sccs allowing priviliged containers:
+ oc describe sccs <from (1)>
+
+ Use OpenShift's Security Context Constraint feature, which has been contributed
+ to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10.
+
+ OpenShift ships with two SCCs: restricted and privileged. The two default SCCs
+ will be created when the master is started. The restricted SCC is granted to all
+ authenticated users by default.
+
+ Similar scenarios are documented in the SCC
+ documentation, which outlines granting SCC access to specific serviceaccounts.
+ Administrators may create least-restrictive SCCs based on individual container
+ needs.
+
+ For example, if a container only requires running as the root user, the anyuid
+ SCC can be used, which will not expose additional access granted by running
+ privileged containers.
+
+ https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html
+ scored: false
diff --git a/cfg/ocp-3.10/node.yaml b/cfg/ocp-3.10/node.yaml
index c537cf4810117177da69c6aa19ae501a8e5f92c2..fc27642e2d5f366f01e1f823153f8ff6ba6fd733 100644
--- a/cfg/ocp-3.10/node.yaml
+++ b/cfg/ocp-3.10/node.yaml
@@ -1,376 +1,376 @@
----
-controls:
-id: 2
-text: "Worker Node Security Configuration"
-type: "node"
-groups:
-- id: 2.1
- text: "Kubelet"
- checks:
- - id: 2.1.1
- text: "Ensure that the --allow-privileged argument is set to false (Scored)"
- type: "skip"
- scored: true
-
- - id: 2.1.2
- text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
- type: "skip"
- scored: true
-
- - id: 2.1.3
- text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
- audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "authorization-mode"
- set: false
- - flag: "authorization-mode: Webhook"
- compare:
- op: has
- value: "Webhook"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
- kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
- scored: true
-
- - id: 2.1.4
- text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
- audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
- tests:
- test_items:
- - flag: "client-ca-file"
- set: false
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
- grep -A1 client-ca-file /etc/origin/node/node-config.yaml
-
- Reset to the OpenShift default.
- See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
- The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
- scored: true
-
- - id: 2.1.5
- text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
- audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "read-only-port"
- set: false
- - flag: "read-only-port: 0"
- compare:
- op: has
- value: "0"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
- scored: true
-
- - id: 2.1.6
- text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
- audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "streaming-connection-idle-timeout"
- set: false
- - flag: "0"
- set: false
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
- value like the following in node-config.yaml.
-
- kubeletArguments:
- Â streaming-connection-idle-timeout:
- Â Â - "5m"
- scored: true
-
- - id: 2.1.7
- text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
- type: "skip"
- scored: true
-
- - id: 2.1.8
- text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
- audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "make-iptables-util-chains"
- set: false
- - flag: "make-iptables-util-chains: true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
- default value of true.
- scored: true
-
- id: 2.1.9
- text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
- audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
- tests:
- test_items:
- - flag: "keep-terminated-pod-volumes: false"
- compare:
- op: has
- value: "false"
- set: true
- remediation: |
- Reset to the OpenShift defaults
- scored: true
-
- - id: 2.1.10
- text: "Ensure that the --hostname-override argument is not set (Scored)"
- type: "skip"
- scored: true
-
- - id: 2.1.11
- text: "Ensure that the --event-qps argument is set to 0 (Scored)"
- audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "event-qps"
- set: false
- - flag: "event-qps: 0"
- compare:
- op: has
- value: "0"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
- the kubeletArguments section of.
- scored: true
-
- - id: 2.1.12
- text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
- audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
- tests:
- test_items:
- - flag: "/etc/origin/node/certificates"
- compare:
- op: has
- value: "/etc/origin/node/certificates"
- set: true
- remediation: |
- Reset to the OpenShift default values.
- scored: true
-
- - id: 2.1.13
- text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
- audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
- tests:
- bin_op: or
- test_items:
- - flag: "cadvisor-port"
- set: false
- - flag: "cadvisor-port: 0"
- compare:
- op: has
- value: "0"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
- if it is set in the kubeletArguments section.
- scored: true
-
- - id: 2.1.14
- text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
- audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
- tests:
- test_items:
- - flag: "RotateKubeletClientCertificate=true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
- scored: true
-
- - id: 2.1.15
- text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
- audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
- test:
- test_items:
- - flag: "RotateKubeletServerCertificate=true"
- compare:
- op: has
- value: "true"
- set: true
- remediation: |
- Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
- scored: true
-
-
-- id: 2.2
- text: "Configuration Files"
- checks:
- - id: 2.2.1
- text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/node.kubeconfig"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command on each worker node.
- chmod 644 /etc/origin/node/node.kubeconfig
- scored: true
-
- - id: 2.2.2
- text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: root:root
- set: true
- remediation: |
- Run the below command on each worker node.
- chown root:root /etc/origin/node/node.kubeconfig
- scored: true
-
- - id: 2.2.3
- text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command on each worker node.
- chmod 644 /etc/systemd/system/atomic-openshift-node.service
- scored: true
-
- - id: 2.2.4
- text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: root:root
- set: true
- remediation: |
- Run the below command on each worker node.
- chown root:root /etc/systemd/system/atomic-openshift-node.service
- scored: true
-
- - id: 2.2.5
- text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/node.kubeconfig"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command on each worker node.
- chmod 644 /etc/origin/node/node.kubeconfig
- scored: true
-
- - id: 2.2.6
- text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: root:root
- set: true
- remediation: |
- Run the below command on each worker node.
- chown root:root /etc/origin/node/node.kubeconfig
- scored: true
-
- - id: 2.2.7
- text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
- audit: "stat -c %a /etc/origin/node/client-ca.crt"
- tests:
- bin_op: or
- test_items:
- - flag: "644"
- compare:
- op: eq
- value: "644"
- set: true
- - flag: "640"
- compare:
- op: eq
- value: "640"
- set: true
- - flag: "600"
- compare:
- op: eq
- value: "600"
- set: true
- remediation: |
- Run the below command on each worker node.
- chmod 644 /etc/origin/node/client-ca.crt
- scored: true
-
- - id: 2.2.8
- text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
- audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
- tests:
- test_items:
- - flag: "root:root"
- compare:
- op: eq
- value: root:root
- set: true
- remediation: |
- Run the below command on each worker node.
- chown root:root /etc/origin/node/client-ca.crt
- scored: true
+---
+controls:
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 7
+ text: "Kubelet"
+ checks:
+ - id: 7.1
+ text: "Use Security Context Constraints to manage privileged containers as needed"
+ type: "skip"
+ scored: true
+
+ - id: 7.2
+ text: "Ensure anonymous-auth is not disabled"
+ type: "skip"
+ scored: true
+
+ - id: 7.3
+ text: "Verify that the --authorization-mode argument is set to WebHook"
+ audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "authorization-mode"
+ set: false
+ - flag: "authorization-mode: Webhook"
+ compare:
+ op: has
+ value: "Webhook"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
+ kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
+ scored: true
+
+ - id: 7.4
+ text: "Verify the OpenShift default for the client-ca-file argument"
+ audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
+ tests:
+ test_items:
+ - flag: "client-ca-file"
+ set: false
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
+ grep -A1 client-ca-file /etc/origin/node/node-config.yaml
+
+ Reset to the OpenShift default.
+ See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
+ The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
+ scored: true
+
+ - id: 7.5
+ text: "Verify the OpenShift default setting for the read-only-port argument"
+ audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "read-only-port"
+ set: false
+ - flag: "read-only-port: 0"
+ compare:
+ op: has
+ value: "0"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
+ scored: true
+
+ - id: 7.6
+ text: "Adjust the streaming-connection-idle-timeout argument"
+ audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "streaming-connection-idle-timeout"
+ set: false
+ - flag: "5m"
+ set: false
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
+ value like the following in node-config.yaml.
+
+ kubeletArguments:
+ Â streaming-connection-idle-timeout:
+ Â Â - "5m"
+ scored: true
+
+ - id: 7.7
+ text: "Verify the OpenShift defaults for the protect-kernel-defaults argument"
+ type: "skip"
+ scored: true
+
+ - id: 7.8
+ text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument"
+ audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "make-iptables-util-chains"
+ set: false
+ - flag: "make-iptables-util-chains: true"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
+ default value of true.
+ scored: true
+
+ - id: 7.9
+ text: "Verify that the --keep-terminated-pod-volumes argument is set to false"
+ audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
+ tests:
+ test_items:
+ - flag: "keep-terminated-pod-volumes: false"
+ compare:
+ op: has
+ value: "false"
+ set: true
+ remediation: |
+ Reset to the OpenShift defaults
+ scored: true
+
+ - id: 7.10
+ text: "Verify the OpenShift defaults for the hostname-override argument"
+ type: "skip"
+ scored: true
+
+ - id: 7.11
+ text: "Set the --event-qps argument to 0"
+ audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "event-qps"
+ set: false
+ - flag: "event-qps: 0"
+ compare:
+ op: has
+ value: "0"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
+ the kubeletArguments section of.
+ scored: true
+
+ - id: 7.12
+ text: "Verify the OpenShift cert-dir flag for HTTPS traffic"
+ audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
+ tests:
+ test_items:
+ - flag: "/etc/origin/node/certificates"
+ compare:
+ op: has
+ value: "/etc/origin/node/certificates"
+ set: true
+ remediation: |
+ Reset to the OpenShift default values.
+ scored: true
+
+ - id: 7.13
+ text: "Verify the OpenShift default of 0 for the cadvisor-port argument"
+ audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "cadvisor-port"
+ set: false
+ - flag: "cadvisor-port: 0"
+ compare:
+ op: has
+ value: "0"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
+ if it is set in the kubeletArguments section.
+ scored: true
+
+ - id: 7.14
+ text: "Verify that the RotateKubeletClientCertificate argument is set to true"
+ audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
+ tests:
+ test_items:
+ - flag: "RotateKubeletClientCertificate=true"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
+ scored: true
+
+ - id: 7.15
+ text: "Verify that the RotateKubeletServerCertificate argument is set to true"
+ audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
+ test:
+ test_items:
+ - flag: "RotateKubeletServerCertificate=true"
+ compare:
+ op: has
+ value: "true"
+ set: true
+ remediation: |
+ Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
+ scored: true
+
+
+- id: 8
+ text: "Configuration Files"
+ checks:
+ - id: 8.1
+ text: "Verify the OpenShift default permissions for the kubelet.conf file"
+ audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chmod 644 /etc/origin/node/node.kubeconfig
+ scored: true
+
+ - id: 8.2
+ text: "Verify the kubeconfig file ownership of root:root"
+ audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chown root:root /etc/origin/node/node.kubeconfig
+ scored: true
+
+ - id: 8.3
+ text: "Verify the kubelet service file permissions of 644"
+ audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chmod 644 /etc/systemd/system/atomic-openshift-node.service
+ scored: true
+
+ - id: 8.4
+ text: "Verify the kubelet service file ownership of root:root"
+ audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chown root:root /etc/systemd/system/atomic-openshift-node.service
+ scored: true
+
+ - id: 8.5
+ text: "Verify the OpenShift default permissions for the proxy kubeconfig file"
+ audit: "stat -c %a /etc/origin/node/node.kubeconfig"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chmod 644 /etc/origin/node/node.kubeconfig
+ scored: true
+
+ - id: 8.6
+ text: "Verify the proxy kubeconfig file ownership of root:root"
+ audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chown root:root /etc/origin/node/node.kubeconfig
+ scored: true
+
+ - id: 8.7
+ text: "Verify the OpenShift default permissions for the certificate authorities file."
+ audit: "stat -c %a /etc/origin/node/client-ca.crt"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chmod 644 /etc/origin/node/client-ca.crt
+ scored: true
+
+ - id: 8.8
+ text: "Verify the client certificate authorities file ownership of root:root"
+ audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
+ remediation: |
+ Run the below command on each worker node.
+ chown root:root /etc/origin/node/client-ca.crt
+ scored: true