diff --git a/cfg/federated.yaml b/cfg/1.6/federated.yaml
similarity index 99%
rename from cfg/federated.yaml
rename to cfg/1.6/federated.yaml
index fbff661942cf0fb42b66939e8584b3212fb26e52..c0e10210dc306ba836f9669806831929461412e0 100644
--- a/cfg/federated.yaml
+++ b/cfg/1.6/federated.yaml
@@ -1,5 +1,6 @@
---
controls:
+version: 1.6
id: 3
text: "Federated Deployments"
type: "federated"
diff --git a/cfg/1.6/master.yaml b/cfg/1.6/master.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..209f31d3907b81990d4ff5a4ef9e06102486e1b3
--- /dev/null
+++ b/cfg/1.6/master.yaml
@@ -0,0 +1,966 @@
+---
+controls:
+version: 1.6
+id: 1
+text: "Master Node Security Configuration"
+type: "master"
+groups:
+- id: 1.1
+ text: "API Server"
+ checks:
+ - id: 1.1.1
+ text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "allow-privileged"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set
+ the KUBE_ALLOW_PRIV parameter to \"--allow-privileged=false\""
+ scored: true
+
+ - id: 1.1.2
+ text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set
+ the KUBE_API_ARGS parameter to \"--anonymous-auth=false\""
+ scored: true
+
+ - id: 1.1.3
+ text: "Ensure that the --basic-auth-file argument is not set (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--basic-auth-file"
+ set: false
+ remediation: "Follow the documentation and configure alternate mechanisms for
+ authentication. Then, edit the $apiserverconf file on the master
+ node and remove the \"--basic-auth-file=<filename>\" argument from the
+ KUBE_API_ARGS parameter."
+ scored: true
+
+ - id: 1.1.4
+ text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-allow-any-token"
+ set: false
+ remediation: "Edit the $apiserverconf file on the master node and remove
+ the --insecure-allow-any-token argument from the KUBE_API_ARGS parameter."
+ scored: true
+
+ - id: 1.1.5
+ text: "Ensure that the --kubelet-https argument is set to true (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--kubelet-https"
+ compare:
+ op: eq
+ value: true
+ set: true
+ - flag: "--kubelet-https"
+ set: false
+ remediation: "Edit the $apiserverconf file on the master node and remove
+ the --kubelet-https argument from the KUBE_API_ARGS parameter."
+ scored: true
+
+ - id: 1.1.6
+ text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-bind-address"
+ set: false
+ remediation: "Edit the $apiserverconf file on the master node and remove
+ the --insecure-bind-address argument from the KUBE_API_ADDRESS parameter."
+ scored: true
+
+ - id: 1.1.7
+ text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set
+ --insecure-port=0 in the KUBE_API_PORT parameter."
+ scored: true
+
+ - id: 1.1.8
+ text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--secure-port"
+ compare:
+ op: gt
+ value: 0
+ set: true
+ - flag: "--secure-port"
+ set: false
+ remediation: "Edit the $apiserverconf file on the master node and either
+ remove the --secure-port argument from the KUBE_API_ARGS parameter or set
+ it to a different desired port."
+ scored: true
+
+ - id: 1.1.9
+ text: "Ensure that the --profiling argument is set to false (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--profiling=false\""
+ scored: true
+
+ - id: 1.1.10
+ text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--repair-malformed-updates"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--repair-malformed-updates=false\""
+ scored: true
+
+ - id: 1.1.11
+ text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: nothave
+ value: AlwaysAdmit
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to a value that does not include AlwaysAdmit"
+ scored: true
+
+ - id: 1.1.12
+ text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: has
+ value: "AlwaysPullImages"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,AlwaysPullImages,...\""
+ scored: true
+
+ - id: 1.1.13
+ text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: has
+ value: "DenyEscalatingExec"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,DenyEscalatingExec,...\""
+ scored: true
+
+ - id: 1.1.14
+ text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: has
+ value: "SecurityContextDeny"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to \"--admission-control=...,SecurityContextDeny,...\""
+ scored: true
+
+ - id: 1.1.15
+ text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "admission-control"
+ compare:
+ op: has
+ value: "NamespaceLifecycle"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to \"--admission-control=NamespaceLifecycle,...\""
+ scored: true
+
+ - id: 1.1.16
+ text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-path"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--audit-log-path=<filename>\""
+ scored: true
+
+ - id: 1.1.17
+ text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxage"
+ compare:
+ op: gte
+ value: 30
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--audit-log-maxage=30\""
+ scored: true
+
+ - id: 1.1.18
+ text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxbackup"
+ compare:
+ op: gte
+ value: 10
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--audit-log-maxbackup=10\""
+ scored: true
+
+ - id: 1.1.19
+ text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxsize"
+ compare:
+ op: gte
+ value: 100
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--audit-log-maxsize=100\""
+ scored: true
+
+ - id: 1.1.20
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: nothave
+ value: "AlwaysAllow"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to values other than \"--authorization-mode=AlwaysAllow\""
+ scored: true
+
+ - id: 1.1.21
+ text: "Ensure that the --token-auth-file parameter is not set (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--token-auth-file"
+ set: false
+ remediation: "Follow the documentation and configure alternate mechanisms for authentication.
+ Then, edit the $apiserverconf file on the master node and remove the
+ \"--tokenauth-file=<filename>\" argument from the KUBE_API_ARGS parameter."
+ scored: true
+
+ - id: 1.1.22
+ text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--kubelet-certificate-authority"
+ set: true
+ remediation: "Follow the Kubernetes documentation and setup the TLS connection between
+ the apiserver and kubelets. Then, edit the $apiserverconf file on the
+ master node and set the KUBE_API_ARGS parameter to
+ \"--kubelet-certificate-authority=<ca-string>\""
+ scored: true
+
+ - id: 1.1.23
+ text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--kubelet-client-certificate"
+ set: true
+ - flag: "--kubelet-client-key"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
+ and kubelets. Then, edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to \"--kubelet-clientcertificate=<path/to/client-certificate-file>\"
+ and \"--kubelet-clientkey=<path/to/client-key-file>\""
+ scored: true
+
+ - id: 1.1.24
+ text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-lookup"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter
+ to \"--service-account-lookup=true\""
+ scored: true
+
+ - id: 1.1.25
+ text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: has
+ value: "PodSecurityPolicy"
+ set: true
+ remediation: "Follow the documentation and create Pod Security Policy objects as per your environment.
+ Then, edit the $apiserverconf file on the master node and set the KUBE_ADMISSION_CONTROL
+ parameter to \"--admission-control=...,PodSecurityPolicy,...\""
+ scored: true
+
+ - id: 1.1.26
+ text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-key-file"
+ set: true
+ remediation: "Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+ parameter to \"--service-account-key-file=<filename>\""
+ scored: true
+
+ - id: 1.1.27
+ text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--etcd-certfile"
+ set: true
+ - flag: "--etcd-keyfile"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
+ and etcd. Then, edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to include \"--etcd-certfile=<path/to/clientcertificate-file>\"
+ and \"--etcd-keyfile=<path/to/client-key-file>\""
+ scored: true
+
+ - id: 1.1.28
+ text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: has
+ value: "ServiceAccount"
+ set: true
+ remediation: "Follow the documentation and create ServiceAccount objects as per your environment.
+ Then, edit the $apiserverconf file on the master node and set the
+ KUBE_ADMISSION_CONTROL parameter to \"--admissioncontrol=...,ServiceAccount,...\""
+ scored: true
+
+ - id: 1.1.29
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--tls-cert-file"
+ set: true
+ - flag: "--tls-private-key-file"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+ Then, edit the $apiserverconf file on the master node and set the KUBE_API_ARGS parameter to
+ include \"--tls-cert-file=<path/to/tls-certificatefile>\" and
+ \"--tls-private-key-file=<path/to/tls-key-file>\""
+ scored: true
+
+ - id: 1.1.30
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-ca-file"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection on the apiserver.
+ Then, edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to include \"--client-ca-file=<path/to/client-ca-file>\""
+ scored: true
+
+ - id: 1.1.31
+ text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $apiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--etcd-cafile"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection between the apiserver
+ and etcd. Then, edit the $apiserverconf file on the master node and set the
+ KUBE_API_ARGS parameter to include \"--etcd-cafile=<path/to/ca-file>\""
+ scored: true
+
+- id: 1.2
+ text: "Scheduler"
+ checks:
+ - id: 1.2.1
+ text: "Ensure that the --profiling argument is set to false (Scored)"
+ audit: "ps -ef | grep $schedulerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $schedulerconf file on the master node and set the KUBE_SCHEDULER_ARGS
+ parameter to \"--profiling=false\""
+ scored: true
+
+- id: 1.3
+ text: "Controller Manager"
+ checks:
+ - id: 1.3.1
+ text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--terminated-pod-gc-threshold"
+ set: true
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--terminated-pod-gcthreshold=<appropriate-number>\""
+ scored: true
+
+ - id: 1.3.2
+ text: "Ensure that the --profiling argument is set to false (Scored)"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to \"--profiling=false\""
+ scored: true
+
+ - id: 1.3.3
+ text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-experimental-approve-all-kubelet-csrs-for-group"
+ set: false
+ remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and remove the
+ --insecure-experimental-approve-all-kubelet-csrs-for-group argument from the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter."
+ scored: true
+
+ - id: 1.3.4
+ text: "Ensure that the --use-service-account-credentials argument is set"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--use-service-account-credentials"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to --use-service-account-credentials=true"
+ scored: true
+
+ - id: 1.3.5
+ text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-private-key-file"
+ set: true
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to --service-account-private-keyfile=<filename>"
+ scored: true
+
+ - id: 1.3.6
+ text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--root-ca-file"
+ set: true
+ remediation: "Edit the $controllermanagerconf file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
+ scored: true
+
+- id: 1.4
+ text: "Configure Files"
+ checks:
+ - id: 1.4.1
+ text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
+ # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+ audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chmod 644 $apiserverconf"
+ scored: true
+
+ - id: 1.4.2
+ text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chown root:root $apiserverconf"
+ scored: true
+
+ - id: 1.4.3
+ text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chmod 644 $config"
+ scored: true
+
+ - id: 1.4.4
+ text: "Ensure that the config file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chown root:root $config"
+ scored: true
+
+ - id: 1.4.5
+ text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chmod 644 $schedulerconf"
+ scored: true
+
+ - id: 1.4.6
+ text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chown root:root $schedulerconf"
+ scored: true
+
+ - id: 1.4.7
+ text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chmod 644 $etcdconf"
+ scored: true
+
+ - id: 1.4.8
+ text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chown root:root $etcdconf"
+ scored: true
+
+ - id: 1.4.9
+ text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chmod 644 $flanneldconf"
+ scored: true
+
+ - id: 1.4.10
+ text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the master node.
+ \nFor example, chown root:root $flanneldconf"
+ scored: true
+
+ - id: 1.4.11
+ text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
+ tests:
+ test_items:
+ - flag: "700"
+ compare:
+ op: eq
+ value: "700"
+ set: true
+ remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
+ from the below command:\n
+ ps -ef | grep $etcdbin\n
+ Run the below command (based on the etcd data directory found above). For example,\n
+ chmod 700 /var/lib/etcd/default.etcd"
+ scored: true
+
+ - id: 1.4.12
+ text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
+ tests:
+ test_items:
+ - flag: "etcd:etcd"
+ set: true
+ remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
+ from the below command:\n
+ ps -ef | grep etcd\n
+ Run the below command (based on the etcd data directory found above). For example,\n
+ chown etcd:etcd /var/lib/etcd/default.etcd"
+ scored: true
+
+- id: 1.5
+ text: "etcd"
+ checks:
+ - id: 1.5.1
+ text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--cert-file"
+ set: true
+ - flag: "--key-file"
+ set: true
+ remediation: "Follow the etcd service documentation and configure TLS encryption."
+ scored: true
+
+ - id: 1.5.2
+ text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-cert-auth"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Edit the etcd envrironment file (for example, $etcdconf) on the
+ etcd server node and set the ETCD_CLIENT_CERT_AUTH parameter to \"true\".
+ Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
+ and configure the startup parameter for --clientcert-auth and set it to \"${ETCD_CLIENT_CERT_AUTH}\""
+ scored: true
+
+ - id: 1.5.3
+ text: "Ensure that the --auto-tls argument is not set to true (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--auto-tls"
+ set: false
+ - flag: "--auto-tls"
+ compare:
+ op: neq
+ value: true
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server
+ node and comment out the ETCD_AUTO_TLS parameter. Edit the etcd startup file (for example,
+ /etc/systemd/system/multiuser.target.wants/etcd.service) and remove the startup parameter
+ for --auto-tls."
+ scored: true
+
+ - id: 1.5.4
+ text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--peer-cert-file"
+ set: true
+ - flag: "--peer-key-file"
+ set: true
+ remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
+ one etcd server in your environment then this recommendation is not applicable.
+ Follow the etcd service documentation and configure peer TLS encryption as appropriate for
+ your etcd cluster."
+ scored: true
+
+ - id: 1.5.5
+ text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--peer-client-cert-auth"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Note: This recommendation is applicable only for etcd clusters. If you are using only
+ one etcd server in your environment then this recommendation is not applicable.
+ Edit the etcd environment file (for example, $etcdconf) on the etcd server node
+ and set the ETCD_PEER_CLIENT_CERT_AUTH parameter to \"true\". Edit the etcd startup file
+ (for example, /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the
+ startup parameter for --peer-client-cert-auth and set it to \"${ETCD_PEER_CLIENT_CERT_AUTH}\""
+ scored: true
+
+ - id: 1.5.6
+ text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--peer-auto-tls"
+ set: false
+ - flag: "--peer-auto-tls"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Note: This recommendation is applicable only for etcd clusters.
+ If you are using only one etcd server in your environment then this recommendation is
+ not applicable. Edit the etcd environment file (for example, $etcdconf)
+ on the etcd server node and comment out the ETCD_PEER_AUTO_TLS parameter.
+ Edit the etcd startup file (for example, /etc/systemd/system/multiuser.target.wants/etcd.service)
+ and remove the startup parameter for --peer-auto-tls."
+ scored: true
+
+ - id: 1.5.7
+ text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--wal-dir"
+ set: true
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
+ and set the ETCD_WAL_DIR parameter as appropriate. Edit the etcd startup file (for example,
+ /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter for
+ --wal-dir and set it to \"${ETCD_WAL_DIR}\""
+ scored: true
+
+ - id: 1.5.8
+ text: "Ensure that the --max-wals argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--max-wals"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the etcd environment file (for example, $etcdconf) on the etcd server node
+ and set the ETCD_MAX_WALS parameter to 0. Edit the etcd startup file (for example,
+ /etc/systemd/system/multiuser.target.wants/etcd.service) and configure the startup parameter
+ for --max-wals and set it to \"${ETCD_MAX_WALS}\"."
+ scored: true
+
+ - id: 1.5.9
+ text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--trusted-ca-file"
+ set: true
+ remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
+ etcd service."
+ scored: false
+
+- id: 1.6
+ text: "General Security Primitives"
+ checks:
+ - id: 1.6.1
+ text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
+ type: "manual"
+ remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+ scored: false
+
+ - id: 1.6.2
+ text: "Create Pod Security Policies for your cluster (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
+ Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
+ suggested Pod Security Policies for your environment."
+ scored: false
+
+ - id: 1.6.3
+ text: "Create administrative boundaries between resources using namespaces (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create namespaces for objects in your deployment as you
+ need them."
+ scored: false
+
+ - id: 1.6.4
+ text: "Create network segmentation using Network Policies (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+ scored: false
+
+ - id: 1.6.5
+ text: "Avoid using Kubernetes Secrets (Not Scored)"
+ type: "manual"
+ remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
+ scored: false
+
+
+ - id: 1.6.6
+ text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
+ type: "manual"
+ remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+ would need to enable alpha features in the apiserver by passing \"--feature-
+ gates=AllAlpha=true\" argument.\n
+ Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+ parameter to \"--feature-gates=AllAlpha=true\"
+ KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+ scored: false
+
+ - id: 1.6.7
+ text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+ type: "manual"
+ remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers."
+ scored: false
+
+ - id: 1.6.8
+ text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
+ type: "manual"
+ remediation: "Follow the Kubernetes documentation and setup image provenance."
+ scored: false
diff --git a/cfg/1.6/node.yaml b/cfg/1.6/node.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..93447248a7630043cb3a079d4ec8bba65a9144a7
--- /dev/null
+++ b/cfg/1.6/node.yaml
@@ -0,0 +1,304 @@
+---
+controls:
+version: 1.6
+id: 2
+text: "Worker Node Security Configuration"
+type: "node"
+groups:
+- id: 2.1
+ text: "Kubelet"
+ checks:
+ - id: 2.1.1
+ text: "Ensure that the --allow-privileged argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--allow-privileged"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $config file on each node and set the KUBE_ALLOW_PRIV
+ parameter to \"--allow-privileged=false\""
+ scored: true
+
+ - id: 2.1.2
+ text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $kubeletconf file on the master node and set the
+ KUBELET_ARGS parameter to \"--anonymous-auth=false\""
+ scored: true
+
+ - id: 2.1.3
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: nothave
+ value: "AlwaysAllow"
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the
+ KUBELET_ARGS parameter to \"--authorization-mode=Webhook\""
+ scored: true
+
+ - id: 2.1.4
+ text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--client-ca-file"
+ set: true
+ remediation: "Follow the Kubernetes documentation and setup the TLS connection between
+ the apiserver and kubelets. Then, edit the $kubeletconf file on each node
+ and set the KUBELET_ARGS parameter to \"--client-ca-file=<path/to/client-ca-file>\""
+ scored: true
+
+ - id: 2.1.5
+ text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--read-only-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
+ parameter to \"--read-only-port=0\""
+ scored: true
+
+ - id: 2.1.6
+ text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--streaming-connection-idle-timeout"
+ compare:
+ op: gt
+ value: 0
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
+ parameter to \"--streaming-connection-idle-timeout=<appropriate-timeout-value>\""
+ scored: true
+
+ - id: 2.1.7
+ text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--protect-kernel-defaults"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
+ parameter to \"--protect-kernel-defaults=true\""
+ scored: true
+
+ - id: 2.1.8
+ text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--make-iptables-util-chains"
+ compare:
+ op: eq
+ value: true
+ set: true
+ - flag: "--make-iptables-util-chains"
+ set: false
+ remediation: "Edit the $kubeletconf file on each node and remove the
+ --make-iptables-util-chains argument from the KUBELET_ARGS parameter."
+ scored: true
+
+ - id: 2.1.9
+ text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--keep-terminated-pod-volumes"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
+ parameter to \"--keep-terminated-pod-volumes=false\""
+ scored: true
+
+ - id: 2.1.10
+ text: "Ensure that the --hostname-override argument is not set (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--hostname-override"
+ set: false
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_HOSTNAME
+ parameter to \"\""
+ scored: true
+
+ - id: 2.1.11
+ text: "Ensure that the --event-qps argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--event-qps"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS
+ parameter to \"--event-qps=0\""
+ scored: true
+
+ - id: 2.1.12
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--tls-cert-file"
+ set: true
+ - flag: "--tls-private-key-file"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection on the Kubelet.
+ Then, edit the $kubeletconf file on the master node and set the KUBELET_ARGS
+ parameter to include \"--tls-cert-file=<path/to/tls-certificate-file>\" and
+ \"--tls-private-key-file=<path/to/tls-key-file>\""
+ scored: true
+
+ - id: 2.1.13
+ text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $kubeletbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--cadvisor-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the $kubeletconf file on each node and set the KUBELET_ARGS parameter
+ to \"--cadvisor-port=0\""
+ scored: true
+
+- id: 2.2
+ text: "Configuration Files"
+ checks:
+ - id: 2.2.1
+ text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chmod 644 $config"
+ scored: true
+
+ - id: 2.2.2
+ text: "Ensure that the config file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ compare:
+ op: eq
+ value: root:root
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chown root:root $config"
+ scored: true
+
+ - id: 2.2.3
+ text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: 644
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chmod 644 $kubeletconf"
+ scored: true
+
+ - id: 2.2.4
+ text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chown root:root $kubeletconf"
+ scored: true
+
+ - id: 2.2.5
+ text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
+ audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "644"
+ compare:
+ op: eq
+ value: "644"
+ set: true
+ - flag: "640"
+ compare:
+ op: eq
+ value: "640"
+ set: true
+ - flag: "600"
+ compare:
+ op: eq
+ value: "600"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chmod 644 $proxyconf"
+ scored: true
+
+ - id: 2.2.6
+ text: "Ensure that the proxy file ownership is set to root:root (Scored)"
+ audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
+ tests:
+ test_items:
+ - flag: "root:root"
+ set: true
+ remediation: "Run the below command (based on the file location on your system) on the each worker node.
+ \nFor example, chown root:root $proxyconf"
+ scored: true
diff --git a/cfg/1.7/federated.yaml b/cfg/1.7/federated.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0c27dc15395860c5d51ebef534a0809bd441c21e
--- /dev/null
+++ b/cfg/1.7/federated.yaml
@@ -0,0 +1,285 @@
+---
+controls:
+version: 1.7
+id: 3
+text: "Federated Deployments"
+type: "federated"
+groups:
+- id: 3.1
+ text: "Federation API Server"
+ checks:
+ - id: 3.1.1
+ text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--anonymous-auth"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the deployment specs and set --anonymous-auth=false.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.2
+ text: "Ensure that the --basic-auth-file argument is not set (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--basic-auth-file"
+ set: false
+ remediation: "Follow the documentation and configure alternate mechanisms for authentication.
+ Then, edit the deployment specs and remove \"--basic-auth-file=<filename>\".\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.3
+ text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-allow-any-token"
+ set: false
+ remediation: "Edit the deployment specs and remove --insecure-allow-any-token.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.4
+ text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-bind-address"
+ set: false
+ remediation: "Edit the deployment specs and remove --insecure-bind-address.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.5
+ text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--insecure-port"
+ compare:
+ op: eq
+ value: 0
+ set: true
+ remediation: "Edit the deployment specs and set --insecure-port=0.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.6
+ text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ bin_op: or
+ test_items:
+ - flag: "--secure-port"
+ compare:
+ op: gt
+ value: 0
+ set: true
+ - flag: "--secure-port"
+ set: false
+ remediation: "Edit the deployment specs and set the --secure-port argument to the desired port.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.7
+ text: "Ensure that the --profiling argument is set to false (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the deployment specs and set \"--profiling=false\".\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ score: true
+
+ - id: 3.1.8
+ text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--admission-control"
+ compare:
+ op: nothave
+ value: AlwaysAdmit
+ set: true
+ remediation: "Edit the deployment specs and set --admission-control argument to a value that does
+ not include AlwaysAdmit.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.9
+ text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "admission-control"
+ compare:
+ op: has
+ value: "NamespaceLifecycle"
+ set: true
+ remediation: "Edit the deployment specs and set --admission-control argument to a value that includes NamespaceLifecycle.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.10
+ text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-path"
+ set: true
+ remediation: "Edit the deployment specs and set --audit-log-path argument as appropriate.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.11
+ text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxage"
+ compare:
+ op: gte
+ value: 30
+ set: true
+ remediation: "Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.12
+ text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxbackup"
+ compare:
+ op: gte
+ value: 10
+ set: true
+ remediation: "Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.13
+ text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--audit-log-maxsize"
+ compare:
+ op: gte
+ value: 100
+ set: true
+ remediation: "Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.14
+ text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--authorization-mode"
+ compare:
+ op: nothave
+ value: "AlwaysAllow"
+ set: true
+ remediation: "Edit the deployment specs and set --authorization-mode argument to a value other than AlwaysAllow.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.15
+ text: "Ensure that the --token-auth-file parameter is not set (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--token-auth-file"
+ set: false
+ remediation: "Follow the documentation and configure alternate mechanisms for authentication.
+ Then, edit the deployment specs and remove the --token-auth-file=<filename> argument.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.16
+ text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-lookup"
+ compare:
+ op: eq
+ value: true
+ set: true
+ remediation: "Edit the deployment specs and set \"--service-account-lookup=true\".\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.17
+ text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--service-account-key-file"
+ set: true
+ remediation: "Edit the deployment specs and set --service-account-key-file argument as appropriate.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.18
+ text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--etcd-certfile"
+ set: true
+ - flag: "--etcd-keyfile"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection between the
+ federation apiserver and etcd. Then, edit the deployment specs and set \"--etcd-
+ certfile=<path/to/client-certificate-file>\" and \"--etcd-
+ keyfile=<path/to/client-key-file>\" arguments.\n
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+ - id: 3.1.19
+ text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
+ audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
+ tests:
+ bin_op: and
+ test_items:
+ - flag: "--tls-cert-file"
+ set: true
+ - flag: "--tls-private-key-file"
+ set: true
+ remediation: "Follow the Kubernetes documentation and set up the TLS connection on the federation
+ apiserver. Then, edit the deployment specs and set \"--tls-cert-file=<path/to/tls-
+ certificate-file>\" and \"--tls-private-key-file=<path/to/tls-key-file>\" :
+ kubectl edit deployments federation-apiserver-deployment --namespace=federation-system"
+ scored: true
+
+- id: 3.2
+ text: "Federation Controller Manager"
+ checks:
+ - id: 3.2.1
+ text: "Ensure that the --profiling argument is set to false (Scored)"
+ audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
+ tests:
+ test_items:
+ - flag: "--profiling"
+ compare:
+ op: eq
+ value: false
+ set: true
+ remediation: "Edit the deployment specs and set \"--profiling=false\".\n
+ kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system"
+ scored: true
diff --git a/cfg/master.yaml b/cfg/1.7/master.yaml
similarity index 99%
rename from cfg/master.yaml
rename to cfg/1.7/master.yaml
index dc9295e4b99646751ffaef7e7062f97b95a17945..a306eef2ac691bc1f82d5d12220085582509ee1b 100644
--- a/cfg/master.yaml
+++ b/cfg/1.7/master.yaml
@@ -1,5 +1,6 @@
---
controls:
+version: 1.7
id: 1
text: "Master Node Security Configuration"
type: "master"
@@ -310,7 +311,7 @@ groups:
scored: true
- id: 1.1.23
- text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
+ text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: and
diff --git a/cfg/node.yaml b/cfg/1.7/node.yaml
similarity index 99%
rename from cfg/node.yaml
rename to cfg/1.7/node.yaml
index 0a1c0b68dc4e2284c31251247ee2d67042748e98..de0f8b5157b0b0980df10ffb069e3bb39f794e3b 100644
--- a/cfg/node.yaml
+++ b/cfg/1.7/node.yaml
@@ -1,5 +1,6 @@
---
controls:
+version: 1.7
id: 2
text: "Worker Node Security Configuration"
type: "node"
diff --git a/check/controls.go b/check/controls.go
index dfea0067178a0b1436669852993716d572104ae9..909adb7b4b77706baccf62f566ad22370ba7601f 100644
--- a/check/controls.go
+++ b/check/controls.go
@@ -24,6 +24,7 @@ import (
// Controls holds all controls to check for master nodes.
type Controls struct {
ID string `yaml:"id"`
+ Version string
Text string
Type NodeType
Groups []*Group
diff --git a/check/controls_test.go b/check/controls_test.go
index ef9b1f4cf2576c12c29cc580f606d24e3a6fd4ed..3cf9b60f221878f9c205bb084a70ef6df3a6ef01 100644
--- a/check/controls_test.go
+++ b/check/controls_test.go
@@ -11,22 +11,31 @@ const cfgDir = "../cfg/"
// validate that the files we're shipping are valid YAML
func TestYamlFiles(t *testing.T) {
- files, err := ioutil.ReadDir(cfgDir)
- if err != nil {
- t.Fatalf("error reading %s directory: %v", cfgDir, err)
- }
- for _, file := range files {
- fileName := file.Name()
- in, err := ioutil.ReadFile(cfgDir + fileName)
+ // TODO: make this list dynamic
+ dirs := []string{"1.6/", "1.7/"}
+
+ for _, dir := range dirs {
+ dir = cfgDir + dir
+
+ files, err := ioutil.ReadDir(dir)
if err != nil {
- t.Fatalf("error opening file %s: %v", fileName, err)
+ t.Fatalf("error reading %s directory: %v", dir, err)
}
- c := new(Controls)
+ for _, file := range files {
- err = yaml.Unmarshal(in, c)
- if err != nil {
- t.Fatalf("failed to load YAML from %s: %v", fileName, err)
+ fileName := file.Name()
+ in, err := ioutil.ReadFile(dir + fileName)
+ if err != nil {
+ t.Fatalf("error opening file %s: %v", fileName, err)
+ }
+
+ c := new(Controls)
+
+ err = yaml.Unmarshal(in, c)
+ if err != nil {
+ t.Fatalf("failed to load YAML from %s: %v", fileName, err)
+ }
}
}
}
diff --git a/cmd/common.go b/cmd/common.go
index 3708d1fb1a6feb91d12a2269132c6c20e0b6f71c..0e4bbb09445a694abd3220a8a28cfc1d2e8262ef 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -86,7 +86,9 @@ func runChecks(t check.NodeType) {
file = federatedFile
}
- in, err := ioutil.ReadFile(file)
+ ver := getKubeVersion()
+ path := fmt.Sprintf("%s/%s/%s", cfgDir, ver.Server, file)
+ in, err := ioutil.ReadFile(path)
if err != nil {
exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
}
diff --git a/cmd/federated.go b/cmd/federated.go
index 1ebc2511e49589a4c358600785eaad9c2d8097a8..0f9dbf32030b872d04b5895e4221a3fbe2470545 100644
--- a/cmd/federated.go
+++ b/cmd/federated.go
@@ -33,7 +33,7 @@ func init() {
federatedCmd.PersistentFlags().StringVarP(&federatedFile,
"file",
"f",
- cfgDir+"/federated.yaml",
+ "/federated.yaml",
"Alternative YAML file for federated checks",
)
diff --git a/cmd/master.go b/cmd/master.go
index b702615b39a317f311d27e42b67b5ec8a2947634..1659d38549f6bd473d5b6945561fe69f8b7f1fab 100644
--- a/cmd/master.go
+++ b/cmd/master.go
@@ -33,7 +33,7 @@ func init() {
masterCmd.PersistentFlags().StringVarP(&masterFile,
"file",
"f",
- cfgDir+"/master.yaml",
+ "/master.yaml",
"Alternative YAML file for master checks",
)
diff --git a/cmd/node.go b/cmd/node.go
index 9ea68bab8b4adbdc011e29df0623a6c503fa3c8c..b07ed7e0df1cc21d86916beac73f742a3d2af037 100644
--- a/cmd/node.go
+++ b/cmd/node.go
@@ -33,7 +33,7 @@ func init() {
nodeCmd.PersistentFlags().StringVarP(&nodeFile,
"file",
"f",
- cfgDir+"/node.yaml",
+ "/node.yaml",
"Alternative YAML file for node checks",
)
diff --git a/cmd/util.go b/cmd/util.go
index 4d96c514cc87568fabb7815e5b38a8e3883bcf87..b186d56fbbdded0d195d51ccc6fb05ca319a640f 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -272,6 +272,41 @@ func multiWordReplace(s string, subname string, sub string) string {
return strings.Replace(s, subname, sub, -1)
}
+type version struct {
+ Server string
+ Client string
+}
+
+func getKubeVersion() *version {
+ ver := new(version)
+ // These executables might not be on the user's path.
+ _, err := exec.LookPath("kubectl")
+ if err != nil {
+ s := fmt.Sprintf("Kubernetes version check skipped with error %v", err)
+ continueWithError(err, sprintlnWarn(s))
+ return nil
+ }
+
+ cmd := exec.Command("kubectl", "version")
+ out, err := cmd.Output()
+ if err != nil {
+ s := fmt.Sprintf("Kubernetes version check skipped, with error getting kubectl version")
+ continueWithError(err, sprintlnWarn(s))
+ return nil
+ }
+
+ clientVerRe := regexp.MustCompile(`Client.*Major:"(\d+)".*Minor:"(\d+)"`)
+ svrVerRe := regexp.MustCompile(`Server.*Major:"(\d+)".*Minor:"(\d+)"`)
+
+ sub := clientVerRe.FindStringSubmatch(string(out))
+ ver.Client = sub[1] + "." + sub[2]
+
+ sub = svrVerRe.FindStringSubmatch(string(out))
+ ver.Server = sub[1] + "." + sub[2]
+
+ return ver
+}
+
func makeSubstitutions(s string, ext string, m map[string]string) string {
for k, v := range m {
subst := "$" + k + ext
diff --git a/cmd/util_test.go b/cmd/util_test.go
index 1f3e5a2454e7c1477ee24a02fe80b500541c0519..36be79ce234c437974c6b91d98231e9b671d9802 100644
--- a/cmd/util_test.go
+++ b/cmd/util_test.go
@@ -239,6 +239,22 @@ func TestMultiWordReplace(t *testing.T) {
}
}
+func TestGetKubeVersion(t *testing.T) {
+ ver := getKubeVersion()
+ if ver == nil {
+ t.Log("Expected non nil version info.")
+ } else {
+ if ok, err := regexp.MatchString(`\d+.\d+`, ver.Client); !ok && err != nil {
+ t.Logf("Expected:%v got %v\n", "n.m", ver.Client)
+ }
+
+ if ok, err := regexp.MatchString(`\d+.\d+`, ver.Server); !ok && err != nil {
+ t.Logf("Expected:%v got %v\n", "n.m", ver.Server)
+ }
+
+ }
+}
+
func TestFindConfigFile(t *testing.T) {
cases := []struct {
input []string