forked from rancher/security-scan
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Derek Nola <[email protected]>
- Loading branch information
Showing
6 changed files
with
2,201 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| --- | ||
| ## Version-specific settings that override the values in cfg/config.yaml | ||
|
|
||
| master: | ||
| components: | ||
| - apiserver | ||
| - scheduler | ||
| - controllermanager | ||
| - etcd | ||
| - policies | ||
| apiserver: | ||
| bins: | ||
| - kube-apiserver | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml | ||
| scheduler: | ||
| bins: | ||
| - kube-scheduler | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml | ||
| kubeconfig: | ||
| - /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml | ||
| controllermanager: | ||
| bins: | ||
| - kube-controller-manager | ||
| confs: | ||
| - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml | ||
| kubeconfig: | ||
| - /var/lib/rancher/rke2/server/cred/controller.kubeconfig | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml | ||
| etcd: | ||
| bins: | ||
| - etcd | ||
| datadirs: | ||
| - /var/lib/rancher/rke2/server/db/etcd | ||
| defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml | ||
|
|
||
| etcd: | ||
| components: | ||
| - etcd | ||
|
|
||
| etcd: | ||
| bins: | ||
| - etcd | ||
| defaultconf: /var/lib/rancher/rke2/server/db/etcd/config | ||
|
|
||
| node: | ||
| components: | ||
| - kubelet | ||
| - proxy | ||
| kubelet: | ||
| defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig | ||
| defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt | ||
| proxy: | ||
| defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig | ||
|
|
||
| policies: | ||
| components: | ||
| - policies |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| --- | ||
| controls: | ||
| version: "cis-1.8" | ||
| id: 3 | ||
| text: "Control Plane Configuration" | ||
| type: "controlplane" | ||
| groups: | ||
| - id: 3.1 | ||
| text: "Authentication and Authorization" | ||
| checks: | ||
| - id: 3.1.1 | ||
| text: "Client certificate authentication should not be used for users (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Alternative mechanisms provided by Kubernetes such as the use of OIDC should be | ||
| implemented in place of client certificates. | ||
| scored: false | ||
|
|
||
| - id: 3.1.2 | ||
| text: "Service account token authentication should not be used for users (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented | ||
| in place of service account tokens. | ||
| scored: false | ||
|
|
||
| - id: 3.1.3 | ||
| text: "Bootstrap token authentication should not be used for users (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented | ||
| in place of bootstrap tokens. | ||
| scored: false | ||
|
|
||
| - id: 3.2 | ||
| text: "Logging" | ||
| checks: | ||
| - id: 3.2.1 | ||
| text: "Ensure that a minimal audit policy is created (Automated)" | ||
| audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" | ||
| tests: | ||
| test_items: | ||
| - flag: "--audit-policy-file" | ||
| set: true | ||
| remediation: | | ||
| Create an audit policy file for your cluster. | ||
| scored: true | ||
|
|
||
| - id: 3.2.2 | ||
| text: "Ensure that the audit policy covers key security concerns (Manual)" | ||
| type: "manual" | ||
| remediation: | | ||
| Review the audit policy provided for the cluster and ensure that it covers | ||
| at least the following areas, | ||
| - Access to Secrets managed by the cluster. Care should be taken to only | ||
| log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in | ||
| order to avoid risk of logging sensitive data. | ||
| - Modification of Pod and Deployment objects. | ||
| - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. | ||
| For most requests, minimally logging at the Metadata level is recommended | ||
| (the most basic level of logging). | ||
| scored: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,174 @@ | ||
| --- | ||
| controls: | ||
| version: "cis-1.8" | ||
| id: 2 | ||
| text: "Etcd Node Configuration" | ||
| type: "etcd" | ||
| groups: | ||
| # When possible, we check the flag, the environment variable, and the configuration file | ||
| # kube-bench does not allow nested bin_ops, so when multiple flags are being checked in a single test, | ||
| # we only check the config path. | ||
| - id: 2 | ||
| text: "Etcd Node Configuration" | ||
| checks: | ||
| - id: 2.1 | ||
| text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: and | ||
| test_items: | ||
| - path: "{.client-transport-security.cert-file}" | ||
| compare: | ||
| op: eq | ||
| value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.crt" | ||
| - path: "{.client-transport-security.key-file}" | ||
| compare: | ||
| op: eq | ||
| value: "/var/lib/rancher/rke2/server/tls/etcd/server-client.key" | ||
| remediation: | | ||
| By default, RKE2 generates cert and key files for etcd. | ||
| These are located in /var/lib/rancher/rke2/server/tls/etcd/. | ||
| If this check fails, ensure that the configuration file $etcdconf | ||
| has not been modified to use custom cert and key files. | ||
| scored: true | ||
|
|
||
| - id: 2.2 | ||
| text: "Ensure that the --client-cert-auth argument is set to true (Automated)" | ||
| audit: "/bin/ps -fC $etcdbin" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--client-cert-auth" | ||
| env: "ETCD_CLIENT_CERT_AUTH" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| - path: "{.client-transport-security.client-cert-auth}" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| remediation: | | ||
| By default, RKE2 sets the --client-cert-auth parameter to true. | ||
| If this check fails, ensure that the configuration file $etcdconf | ||
| has not been modified to disable client certificate authentication. | ||
| scored: true | ||
|
|
||
| - id: 2.3 | ||
| text: "Ensure that the --auto-tls argument is not set to true (Automated)" | ||
| audit: "/bin/ps -fC $etcdbin" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--auto-tls" | ||
| env: "ETCD_AUTO_TLS" | ||
| set: false | ||
| - flag: "--auto-tls" | ||
| env: "ETCD_AUTO_TLS" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| - path: "{.client-transport-security.auto-tls}" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| remediation: | | ||
| By default, RKE2 does not set the --auto-tls parameter. | ||
| If this check fails, edit the etcd pod specification file $etcdconf on the master | ||
| node and either remove the --auto-tls parameter or set it to false. | ||
| client-transport-security: | ||
| auto-tls: false | ||
| scored: true | ||
|
|
||
| - id: 2.4 | ||
| text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: and | ||
| test_items: | ||
| - path: "{.peer-transport-security.cert-file}" | ||
| compare: | ||
| op: eq | ||
| value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.crt" | ||
| - path: "{.peer-transport-security.key-file}" | ||
| compare: | ||
| op: eq | ||
| value: "/var/lib/rancher/rke2/server/tls/etcd/peer-server-client.key" | ||
| remediation: | | ||
| By default, RKE2 generates peer cert and key files for etcd. | ||
| These are located in /var/lib/rancher/rke2/server/tls/etcd/. | ||
| If this check fails, ensure that the configuration file $etcdconf | ||
| has not been modified to use custom peer cert and key files. | ||
| scored: true | ||
|
|
||
| - id: 2.5 | ||
| text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)" | ||
| audit: "/bin/ps -fC $etcdbin" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--peer-client-cert-auth" | ||
| env: "ETCD_PEER_CLIENT_CERT_AUTH" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| - path: "{.peer-transport-security.client-cert-auth}" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| remediation: | | ||
| By default, RKE2 sets the --peer-cert-auth parameter to true. | ||
| If this check fails, ensure that the configuration file $etcdconf | ||
| has not been modified to disable peer client certificate authentication. | ||
| scored: true | ||
|
|
||
| - id: 2.6 | ||
| text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)" | ||
| audit: "/bin/ps -fC $etcdbin" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--peer-auto-tls" | ||
| env: "ETCD_PEER_AUTO_TLS" | ||
| set: false | ||
| - flag: "--peer-auto-tls" | ||
| env: "ETCD_PEER_AUTO_TLS" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| set: true | ||
| - path: "{.peer-transport-security.auto-tls}" | ||
| compare: | ||
| op: eq | ||
| value: false | ||
| remediation: | | ||
| By default, RKE2 does not set the --peer-auto-tls parameter. | ||
| If this check fails, edit the etcd pod specification file $etcdconf on the master | ||
| node and either remove the --peer-auto-tls parameter or set it to false. | ||
| peer-transport-security: | ||
| auto-tls: false | ||
| scored: true | ||
|
|
||
| - id: 2.7 | ||
| text: "Ensure that a unique Certificate Authority is used for etcd (Automated)" | ||
| audit: "/bin/ps -fC $etcdbin" | ||
| audit_config: "cat $etcdconf" | ||
| tests: | ||
| bin_op: or | ||
| test_items: | ||
| - flag: "--trusted-ca-file" | ||
| env: "ETCD_TRUSTED_CA_FILE" | ||
| - path: "{.peer-transport-security.trusted-ca-file}" | ||
| compare: | ||
| op: eq | ||
| value: "/var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt" | ||
| set: true | ||
| remediation: | | ||
| By default, RKE2 generates a unique certificate authority for etcd. | ||
| This is located at /var/lib/rancher/rke2/server/tls/etcd/peer-ca.crt. | ||
| If this check fails, ensure that the configuration file $etcdconf | ||
| has not been modified to use a shared certificate authority. | ||
| scored: true |
Oops, something went wrong.