diff --git a/cfg/master.yaml b/cfg/master.yaml
index 46aeb36c4a2c1ea58fcbd44c5830962a02835207..874b9ccb013fde8e30e87c9a2748eb6244c23062 100644
--- a/cfg/master.yaml
+++ b/cfg/master.yaml
@@ -479,19 +479,14 @@ groups:
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
scored: true
-# TODO: provide flag to WARN of manual tasks which we can't automate.
- id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
- tests:
- test_items:
- - flag: "requires manual intervention"
- set: true
+ type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider"
scored: true
-
- id: 1.2
text: "Scheduler"
checks:
@@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true
-# TODO: 1.3.6 is manual, provide way to WARN
+ - id: 1.3.6
+ text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+ type: "manual"
+ remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
+ KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
+ \"--feature-gates=RotateKubeletServerCertificate=true\""
+ scored: false
- id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@@ -717,6 +718,20 @@ groups:
chmod 700 /var/lib/etcd/default.etcd"
scored: true
+ - id: 1.4.12
+ text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
+ audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
+ tests:
+ test_items:
+ - flag: "etcd:etcd"
+ set: true
+ remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
+ from the below command:\n
+ ps -ef | grep etcd\n
+ Run the below command (based on the etcd data directory found above). For example,\n
+ chown etcd:etcd /var/lib/etcd/default.etcd"
+ scored: true
+
- id: 1.5
text: "etcd"
checks:
@@ -859,3 +874,65 @@ groups:
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service."
scored: false
+
+- id: 1.6
+ text: "General Security Primitives"
+ checks:
+ - id: 1.6.1
+ text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
+ type: "manual"
+ remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+ scored: false
+
+ - id: 1.6.2
+ text: "Create Pod Security Policies for your cluster (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
+ Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
+ suggested Pod Security Policies for your environment."
+ scored: false
+
+ - id: 1.6.3
+ text: "Create administrative boundaries between resources using namespaces (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create namespaces for objects in your deployment as you
+ need them."
+ scored: false
+
+ - id: 1.6.4
+ text: "Create network segmentation using Network Policies (Not Scored)"
+ type: "manual"
+ remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+ scored: false
+
+ - id: 1.6.5
+ text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
+ type: "manual"
+ remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+ would need to enable alpha features in the apiserver by passing \"--feature-
+ gates=AllAlpha=true\" argument.\n
+ Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+ parameter to \"--feature-gates=AllAlpha=true\"
+ KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+ scored: false
+
+ - id: 1.6.6
+ text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+ type: "manual"
+ remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
+ suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+ Containers."
+ scored: false
+
+ - id: 1.6.7
+ text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
+ type: "manual"
+ remediation: "Follow the Kubernetes documentation and setup image provenance."
+ scored: false
+
+ - id: 1.6.8
+ text: "Configure Network policies as appropriate (Not Scored)"
+ type: "manual"
+ remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
+ scored: false
+
diff --git a/cfg/node.yaml b/cfg/node.yaml
index 94e48f71a8fde12d9f95be5218872d1ab4b572eb..346ddd1e88cb31e7d919c069b22173c760de751b 100644
--- a/cfg/node.yaml
+++ b/cfg/node.yaml
@@ -285,7 +285,6 @@ groups:
\nFor example, chown root:root $proxyconf"
scored: true
-# TODO: provide flag to WARN about manual checks.
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
@@ -298,7 +297,6 @@ groups:
\nchmod 644 <filename>"
scored: true
-# TODO: provide flag to WARN about manual checks.
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"
diff --git a/check/check.go b/check/check.go
index 5d8221ae851ff46ddf5d073d7e2ae1e05abc2fd6..2ac7b5bc9e306af1eae50588663816be8d557e18 100644
--- a/check/check.go
+++ b/check/check.go
@@ -61,6 +61,7 @@ type Check struct {
ID string `yaml:"id" json:"id"`
Text string
Audit string `json:"omit"`
+ Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
@@ -70,7 +71,13 @@ type Check struct {
// Run executes the audit commands specified in a check and outputs
// the results.
-func (c *Check) Run() {
+func (c *Check) Run(verbose bool) {
+ // If check type is manual, force result to WARN.
+ if c.Type == "manual" {
+ c.State = WARN
+ return
+ }
+
var out bytes.Buffer
var errmsgs string