github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-0.7/master.yaml (about) 1 --- 2 controls: 3 version: "rh-0.7" 4 id: 1 5 text: "Securing the OpenShift Master" 6 type: "master" 7 groups: 8 9 - id: 1 10 text: "Protecting the API Server" 11 checks: 12 - id: 1.1 13 text: "Maintain default behavior for anonymous access" 14 type: "skip" 15 scored: true 16 17 - id: 1.2 18 text: "Verify that the basic-auth-file method is not enabled" 19 audit_config: "cat /etc/origin/master/master-config.yaml" 20 tests: 21 test_items: 22 - path: "{.kubernetesMasterConfig.apiServerArguments.basic-auth-file}" 23 set: false 24 remediation: | 25 Edit the kubernetes master config file /etc/origin/master/master-config.yaml and 26 remove the basic-auth-file entry. 27 28 kubernetesMasterConfig: 29 apiServerArguments: 30 basic-auth-file: 31 - /path/to/any/file 32 scored: true 33 34 - id: 1.3 35 text: "Insecure Tokens" 36 type: "skip" 37 scored: true 38 39 - id: 1.4 40 text: "Secure communications between the API server and master nodes" 41 audit_config: "cat /etc/origin/master/master-config.yaml" 42 tests: 43 bin_op: and 44 test_items: 45 - path: "{.kubeletClientInfo.ca}" 46 compare: 47 op: has 48 value: "ca-bundle.crt" 49 - path: "{.kubeletClientInfo.certFile}" 50 compare: 51 op: has 52 value: "master.kubelet-client.crt" 53 - path: "{.kubeletClientInfo.keyFile}" 54 compare: 55 op: has 56 value: "master.kubelet-client.key" 57 set: true 58 - path: "{.kubeletClientInfo.port}" 59 compare: 60 op: eq 61 value: "10250" 62 remediation: | 63 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 64 and change it to match the below. 65 66 kubeletClientInfo: 67 ca: ca-bundle.crt 68 certFile: master.kubelet-client.crt 69 keyFile: master.kubelet-client.key 70 port: 10250 71 scored: true 72 73 - id: 1.5 74 text: "Prevent insecure bindings" 75 audit_config: "cat /etc/origin/master/master-config.yaml" 76 tests: 77 test_items: 78 - path: "{.kubernetesMasterConfig.insecure-bind-address}" 79 set: false 80 remediation: | 81 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 82 and remove the insecure-bind-address entry. 83 84 kubernetesMasterConfig: 85 apiServerArguments: 86 insecure-bind-address: 87 - 127.0.0.1 88 scored: true 89 90 - id: 1.6 91 text: "Prevent insecure port access" 92 audit_config: "cat /etc/origin/master/master-config.yaml" 93 tests: 94 test_items: 95 - path: "{.kubernetesMasterConfig.apiServerArguments.insecure-port}" 96 set: false 97 remediation: | 98 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 99 and remove the insecure-port entry. 100 101 kubernetesMasterConfig: 102 apiServerArguments: 103 insecure-port: 104 - 0 105 scored: true 106 107 - id: 1.7 108 text: "Use Secure Ports for API Server Traffic" 109 audit_config: "cat /etc/origin/master/master-config.yaml" 110 tests: 111 bin_op: or 112 test_items: 113 - path: "{.kubernetesMasterConfig.apiServerArguments.secure-port}" 114 set: false 115 - path: "{.kubernetesMasterConfig.apiServerArguments.secure-port}" 116 compare: 117 op: noteq 118 value: "0" 119 remediation: | 120 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 121 and either remove the secure-port parameter or set it to a different (non-zero) 122 desired port. 123 124 kubernetesMasterConfig: 125 apiServerArguments: 126 secure-port: 127 - 8443 128 scored: true 129 130 - id: 1.8 131 text: "Do not expose API server profiling data" 132 type: "skip" 133 scored: true 134 135 - id: 1.9 136 text: "Verify repair-malformed-updates argument for API compatibility" 137 audit_config: "cat /etc/origin/master/master-config.yaml" 138 tests: 139 bin_op: or 140 test_items: 141 - path: "{.repair-malformed-updates}" 142 set: false 143 - path: "{.repair-malformed-updates}" 144 compare: 145 op: eq 146 value: "true" 147 remediation: | 148 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 149 and remove the repair-malformed-updates entry or set repair-malformed-updates=true. 150 scored: true 151 152 - id: 1.10 153 text: "Verify that the AlwaysAdmit admission controller is disabled" 154 audit_config: "cat /etc/origin/master/master-config.yaml" 155 tests: 156 test_items: 157 - path: "{.AlwaysAdmit}" 158 set: false 159 remediation: | 160 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 161 and remove the entry below. 162 163 AlwaysAdmit: 164 configuration: 165 kind: DefaultAdmissionConfig 166 apiVersion: v1 167 disable: false 168 scored: true 169 170 - id: 1.11 171 text: "Manage the AlwaysPullImages admission controller" 172 audit_config: "cat /etc/origin/master/master-config.yaml" 173 tests: 174 test_items: 175 - path: "{.admissionConfig.pluginConfig.configuration.disable}" 176 compare: 177 op: eq 178 value: "false" 179 remediation: | 180 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 181 and add the entry below. 182 183 admissionConfig: 184 pluginConfig: 185 AlwaysPullImages: 186 configuration: 187 kind: DefaultAdmissionConfig 188 apiVersion: v1 189 disable: false 190 scored: true 191 192 - id: 1.12 193 text: "Use Security Context Constraints instead of DenyEscalatingExec admission" 194 type: "skip" 195 scored: true 196 197 - id: 1.13 198 text: "Use Security Context Constraints instead of the SecurityContextDeny admission controller" 199 type: "skip" 200 scored: true 201 202 - id: 1.14 203 text: "Manage the NamespaceLifecycle admission controller" 204 audit_config: "cat /etc/origin/master/master-config.yaml" 205 tests: 206 test_items: 207 - path: "{.NamespaceLifecycle}" 208 set: false 209 remediation: | 210 Edit the kubernetes master config file /etc/origin/master/master-config.yaml 211 and remove the following entry. 212 213 NamespaceLifecycle: 214 configuration: 215 kind: DefaultAdmissionConfig 216 apiVersion: v1 217 disable: true 218 scored: true 219 220 - id: 1.15 221 text: "Configure API server auditing - audit log file path" 222 audit_config: "cat /etc/origin/master/master-config.yaml" 223 tests: 224 test_items: 225 - path: "{.auditConfig.enabled}" 226 compare: 227 op: eq 228 value: "true" 229 remediation: | 230 Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the following entry and restart the API server. 231 232 auditConfig: 233 auditFilePath: ""/etc/origin/master/audit-ocp.log"" 234 enabled: true 235 maximumFileRetentionDays: 30 236 maximumFileSizeMegabytes: 10 237 maximumRetainedFiles: 10 238 239 Make the same changes in the inventory/ansible variables so the changes are not 240 lost when an upgrade occurs. 241 scored: true 242 243 - id: 1.16 244 text: "Configure API server auditing - audit log retention" 245 audit_config: "cat /etc/origin/master/master-config.yaml" 246 tests: 247 test_items: 248 - path: "{.auditConfig.maximumFileRetentionDays}" 249 compare: 250 op: gte 251 value: 30 252 remediation: | 253 Edit the Openshift master config file /etc/origin/master/master-config.yaml, 254 update the maximumFileRetentionDays entry and restart the API server. 255 256 auditConfig: 257 auditFilePath: ""/etc/origin/master/audit-ocp.log"" 258 enabled: true 259 maximumFileRetentionDays: 30 260 maximumFileSizeMegabytes: 10 261 maximumRetainedFiles: 10 262 263 Make the same changes in the inventory/ansible variables so the changes are not 264 lost when an upgrade occurs. 265 scored: true 266 267 - id: 1.17 268 text: "Configure API server auditing - audit log backup retention" 269 audit_config: "cat /etc/origin/master/master-config.yaml" 270 tests: 271 test_items: 272 - path: "{.auditConfig.maximumRetainedFiles}" 273 compare: 274 op: eq 275 value: "10" 276 remediation: | 277 Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumRetainedFiles entry, 278 set enabled to true and restart the API server. 279 280 auditConfig: 281 auditFilePath: ""/etc/origin/master/audit-ocp.log"" 282 enabled: true 283 maximumFileRetentionDays: 30 284 maximumFileSizeMegabytes: 10 285 maximumRetainedFiles: 10 286 287 Make the same changes in the inventory/ansible variables so the changes are not 288 lost when an upgrade occurs. 289 scored: true 290 291 - id: 1.18 292 text: "Configure audit log file size" 293 audit_config: "cat /etc/origin/master/master-config.yaml" 294 tests: 295 test_items: 296 - path: "{.auditConfig.maximumFileSizeMegabytes}" 297 compare: 298 op: eq 299 value: "30" 300 remediation: | 301 Edit the Openshift master config file /etc/origin/master/master-config.yaml, update the maximumFileSizeMegabytes entry, 302 set enabled to true and restart the API server. 303 304 auditConfig: 305 auditFilePath: ""/etc/origin/master/audit-ocp.log"" 306 enabled: true 307 maximumFileRetentionDays: 30 308 maximumFileSizeMegabytes: 10 309 maximumRetainedFiles: 10 310 311 Make the same changes in the inventory/ansible variables so the changes are not 312 lost when an upgrade occurs. 313 scored: true 314 315 - id: 1.19 316 text: "Verify that authorization-mode is not set to AlwaysAllow" 317 audit_config: "cat /etc/origin/master/master-config.yaml" 318 tests: 319 test_items: 320 - path: "{.kubernetesMasterConfig.apiServerArguments.authorization-mode}" 321 set: false 322 remediation: | 323 Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the authorization-mode 324 entry. 325 326 kubernetesMasterConfig: 327 apiServerArguments: 328 authorization-mode: 329 - AllowAll 330 scored: true 331 332 - id: 1.20 333 text: "Verify that the token-auth-file flag is not set" 334 audit_config: "cat /etc/origin/master/master-config.yaml" 335 tests: 336 test_items: 337 - path: "{.kubernetesMasterConfig.apiServerArguments.token-auth-file}" 338 set: false 339 remediation: | 340 Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the token-auth-file 341 entry under apiserverArguments section. 342 343 kubernetesMasterConfig: 344 apiServerArguments: 345 token-auth-file: 346 - /path/to/file 347 scored: true 348 349 - id: 1.21 350 text: "Verify the API server certificate authority" 351 audit_config: "cat /etc/origin/master/master-config.yaml" 352 tests: 353 test_items: 354 - path: "{.kubernetesMasterConfig.apiServerArguments.kubelet-certificat-authority}" 355 set: false 356 remediation: | 357 Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove the following 358 configuration under apiserverArguments section. 359 360 kubernetesMasterConfig: 361 apiServerArguments: 362 kubelet-certificat-authority: 363 - /path/to/ca 364 scored: true 365 366 - id: 1.22 367 text: "Verify the API server client certificate and client key" 368 audit_config: "cat /etc/origin/master/master-config.yaml" 369 tests: 370 bin_op: and 371 test_items: 372 - path: "{.kubeletClientInfo.keyFile}" 373 compare: 374 op: eq 375 value: "master.kubelet-client.key" 376 - path: "{.kubeletClientInfo.certFile}" 377 compare: 378 op: eq 379 value: "master.kubelet-client.crt" 380 remediation: | 381 Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following 382 configuration under kubeletClientInfo 383 384 kubeletClientInfo: 385 ca: ca-bundle.crt 386 certFile: master.kubelet-client.crt 387 keyFile: master.kubelet-client.key 388 port: 10250 389 scored: true 390 391 - id: 1.23 392 text: "Verify that the service account lookup flag is not set" 393 type: "skip" 394 scored: true 395 396 - id: 1.24 397 text: "Verify the PodSecurityPolicy is disabled to ensure use of SecurityContextConstraints" 398 type: "skip" 399 scored: true 400 401 - id: 1.25 402 text: "Verify that the service account key file argument is not set" 403 audit_config: "cat /etc/origin/master/master-config.yaml" 404 tests: 405 bin_op: and 406 test_items: 407 - path: "{.serviceAccountConfig.privateKeyFile}" 408 compare: 409 op: eq 410 value: "serviceaccounts.private.key" 411 - path: "{.serviceAccountConfig.publicKeyFiles}" 412 compare: 413 op: has 414 value: "serviceaccounts.public.key" 415 remediation: | 416 OpenShift API server does not use the service-account-key-file argument. 417 Even if value is set in master-config.yaml, it will not be used to verify 418 service account tokens, as it is in upstream Kubernetes. The ServiceAccount 419 token authenticator is configured with serviceAccountConfig.publicKeyFiles in 420 the master-config.yaml. OpenShift does not reuse the apiserver TLS key. 421 422 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set the privateKeyFile 423 and publicKeyFile configuration under serviceAccountConfig. 424 425 serviceAccountConfig: 426 limitSecretReferences: false 427 managedNames: 428 - default 429 - builder 430 - deployer 431 masterCA: ca-bundle.crt 432 privateKeyFile: serviceaccounts.private.key 433 publicKeyFiles: 434 - serviceaccounts.public.key 435 436 Verify that privateKeyFile and publicKeyFile exist and set. 437 scored: true 438 439 - id: 1.26 440 text: "Verify the certificate and key used for communication with etcd" 441 audit_config: "cat /etc/origin/master/master-config.yaml" 442 tests: 443 bin_op: and 444 test_items: 445 - path: "{.etcdClientInfo.certFile}" 446 compare: 447 op: eq 448 value: "master.etcd-client.crt" 449 - path: "{.etcdClientInfo.keyFile}" 450 compare: 451 op: eq 452 value: "master.etcd-client.key" 453 remediation: | 454 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile 455 under etcdClientInfo like below. 456 457 etcdClientInfo: 458 ca: master.etcd-ca.crt 459 certFile: master.etcd-client.crt 460 keyFile: master.etcd-client.key 461 scored: true 462 463 - id: 1.27 464 text: "Verify that the ServiceAccount admission controller is enabled" 465 audit_config: "cat /etc/origin/master/master-config.yaml" 466 tests: 467 bin_op: or 468 test_items: 469 - path: "{.ServiceAccount.configuration.disable}" 470 set: false 471 - path: "{.ServiceAccount.configuration.disable}" 472 compare: 473 op: eq 474 value: "false" 475 remediation: | 476 Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount 477 admission control policy. 478 479 ServiceAccount: 480 configuration: 481 kind: DefaultAdmissionConfig 482 apiVersion: v1 483 disable: false 484 scored: true 485 486 - id: 1.28 487 text: "Verify the certificate and key used to encrypt API server traffic" 488 audit_config: "cat /etc/origin/master/master-config.yaml" 489 tests: 490 bin_op: and 491 test_items: 492 - path: "{.servingInfo.certFile}" 493 compare: 494 op: eq 495 value: "master.server.crt" 496 - path: "{.servingInfo.keyFile}" 497 compare: 498 op: eq 499 value: "master.server.key" 500 remediation: | 501 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo. 502 503 servingInfo: 504 bindAddress: 0.0.0.0:8443 505 bindNetwork: tcp4 506 certFile: master.server.crt 507 clientCA: ca.crt 508 keyFile: master.server.key 509 maxRequestsInFlight: 500 510 requestTimeoutSeconds: 3600 511 scored: true 512 513 - id: 1.29 514 text: "Verify that the --client-ca-file argument is not set" 515 audit_config: "cat /etc/origin/master/master-config.yaml" 516 tests: 517 test_items: 518 - path: "{.servingInfo.clientCA}" 519 set: false 520 remediation: | 521 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set clientCA under servingInfo. 522 523 servingInfo: 524 bindAddress: 0.0.0.0:8443 525 bindNetwork: tcp4 526 certFile: master.server.crt 527 clientCA: ca.crt 528 keyFile: master.server.key 529 maxRequestsInFlight: 500 530 requestTimeoutSeconds: 3600 531 scored: true 532 533 - id: 1.30 534 text: "Verify the CA used for communication with etcd" 535 audit_config: "cat /etc/origin/master/master-config.yaml" 536 tests: 537 test_items: 538 - path: "{.etcdClientInfo.ca}" 539 compare: 540 op: eq 541 value: "master.etcd-ca.crt" 542 remediation: | 543 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo. 544 545 etcdClientInfo: 546 ca: master.etcd-ca.crt 547 certFile: master.etcd-client.crt 548 keyFile: master.etcd-client.key 549 scored: true 550 551 - id: 1.31 552 text: "Verify that the authorization-mode argument is not set" 553 type: "skip" 554 scored: true 555 556 - id: 1.32 557 text: "Verify that the NodeRestriction admission controller is enabled" 558 audit_config: "cat /etc/origin/master/master-config.yaml" 559 tests: 560 bin_op: or 561 test_items: 562 - path: "{.NodeRestriction.configuration.disable}" 563 set: false 564 - path: "{.NodeRestriction.configuration.disable}" 565 compare: 566 op: eq 567 value: "false" 568 remediation: | 569 Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo. 570 571 NodeRestriction: 572 configuration: 573 kind: DefaultAdmissionConfig 574 apiVersion: v1 575 disable: false 576 scored: true 577 578 - id: 1.33 579 text: "Configure encryption of data at rest in etcd datastore" 580 audit_config: "cat /etc/origin/master/master-config.yaml" 581 tests: 582 test_items: 583 - path: "{.kubernetesMasterConfig.apiServerArguments.experimental-encryption-provider-config}" 584 remediation: | 585 Follow the instructions in the documentation to configure encryption. 586 https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html 587 scored: true 588 589 - id: 1.34 590 text: "Set the encryption provider to aescbc for etcd data at rest" 591 592 audit_config: "grep -A1 experimental-encryption-provider-config /etc/origin/master/master-config.yaml | sed -n '2p' | awk '{ print $2 }' | xargs cat" 593 tests: 594 bin_op: and 595 test_items: 596 - path: "{.resources[*].providers[*].aescbc.keys[*]}}" 597 compare: 598 op: has 599 value: "secret" 600 - path: "{.resources[*].providers[*].aescbc.keys[*]}}" 601 compare: 602 op: has 603 value: "name" 604 remediation: | 605 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set aescbc as the first provider in encryption provider config. 606 See https://docs.openshift.com/container-platform/3.10/admin_guide/encrypting_data.html. 607 scored: true 608 609 - id: 1.35 610 text: "Enable the EventRateLimit plugin" 611 audit_config: "cat /etc/origin/master/master-config.yaml" 612 tests: 613 test_items: 614 - path: "{.admissionConfig.pluginConfig.AlwaysPullImages.configuration.disable}" 615 compare: 616 op: eq 617 value: "false" 618 remediation: | 619 Follow the documentation to enable the EventRateLimit plugin. 620 https://docs.openshift.com/container-platform/3.10/architecture/additional_concepts/admission_controllers.html#admission-controllers-general-admission-rules 621 scored: true 622 623 - id: 1.36 624 text: "Configure advanced auditing" 625 audit_config: "cat /etc/origin/master/master-config.yaml" 626 tests: 627 bin_op: or 628 test_items: 629 - path: "{.kubernetesMasterConfig.apiServerArguments.feature-gates.AdvancedAuditing}" 630 compare: 631 op: eq 632 value: "true" 633 - path: "{.kubernetesMasterConfig.apiServerArguments.feature-gates.AdvancedAuditing}" 634 set: false 635 remediation: | 636 Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable AdvancedAuditing, 637 638 kubernetesMasterConfig: 639 apiServerArguments: 640 feature-gates: 641 - AdvancedAuditing=true 642 scored: true 643 644 # Review 1.1.37 in Khulnasoftsec shared doc, the tests are net zero. 645 - id: 1.37 646 text: "Adjust the request timeout argument for your cluster resources" 647 audit: "grep request-timeout /etc/origin/master/master-config.yaml" 648 type: "manual" 649 remediation: | 650 [Manual test] 651 change the request-timeout value in the /etc/origin/master/master-config.yaml 652 scored: true 653 654 655 - id: 2 656 text: "Scheduler" 657 checks: 658 - id: 2.1 659 text: "Verify that Scheduler profiling is not exposed to the web" 660 type: "skip" 661 scored: true 662 663 664 - id: 3 665 text: "Controller Manager" 666 checks: 667 - id: 3.1 668 text: "Adjust the terminated-pod-gc-threshold argument as needed" 669 audit_config: "cat /etc/origin/master/master-config.yaml" 670 tests: 671 test_items: 672 - path: "{.kubernetesMasterConfig.controllerArguments.terminated-pod-gc-threshold}" 673 compare: 674 op: eq 675 value: "12500" 676 remediation: | 677 Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable terminated-pod-gc-threshold. 678 679 kubernetesMasterConfig: 680 controllerArguments: 681 terminated-pod-gc-threshold: 682 - true 683 684 Enabling the "terminated-pod-gc-threshold" settings is optional. 685 scored: true 686 687 - id: 3.2 688 text: "Verify that Controller profiling is not exposed to the web" 689 type: "skip" 690 scored: true 691 692 - id: 3.3 693 text: "Verify that the --use-service-account-credentials argument is set to true" 694 audit_config: "cat /etc/origin/master/master-config.yaml" 695 tests: 696 bin_op: or 697 test_items: 698 - path: "{.kubernetesMasterConfig.controllerArguments.use-service-account-credentials}" 699 set: false 700 - path: "{.kubernetesMasterConfig.controllerArguments.use-service-account-credentials}" 701 compare: 702 op: eq 703 value: "true" 704 remediation: | 705 Edit the Openshift master config file /etc/origin/master/master-config.yaml and set use-service-account-credentials 706 to true under controllerArguments section. 707 708 kubernetesMasterConfig: 709 controllerArguments: 710 use-service-account-credentials: 711 - true 712 scored: true 713 714 715 - id: 3.4 716 text: "Verify that the --service-account-private-key-file argument is set as appropriate" 717 audit: | 718 grep -A9 serviceAccountConfig /etc/origin/master/master-config.yaml | grep privateKeyFile; 719 grep -A2 service-account-private-key-file /etc/origin/master/master-config.yaml 720 audit_config: "cat /etc/origin/master/master-config.yaml" 721 tests: 722 bin_op: and 723 test_items: 724 - flag: "privateKeyFile: serviceaccounts.private.key" 725 path: "{.serviceAccountConfig.privateKeyFile}" 726 compare: 727 op: eq 728 value: "serviceaccounts.private.key" 729 - flag: "service-account-private-key-file" 730 set: false 731 remediation: | 732 Edit the Openshift master config file /etc/origin/master/master-config.yaml and remove service-account-private-key-file 733 scored: true 734 735 736 - id: 3.5 737 text: "Verify that the --root-ca-file argument is set as appropriate" 738 audit_config: "cat /etc/origin/master/master-config.yaml" 739 tests: 740 bin_op: and 741 test_items: 742 - path: "{.serviceAccountConfig.root-ca-file}" 743 compare: 744 op: eq 745 value: "/etc/origin/master/ca-bundle.crt" 746 - path: "{.serviceAccountConfig.masterCA}" 747 compare: 748 op: eq 749 value: "ca-bundle.crt" 750 remediation: | 751 Reset to OpenShift defaults OpenShift starts kube-controller-manager with 752 root-ca-file=/etc/origin/master/ca-bundle.crt by default. OpenShift Advanced 753 Installation creates this certificate authority and configuration without any 754 configuration required. 755 756 https://docs.openshift.com/container-platform/3.10/admin_guide/service_accounts.html" 757 scored: true 758 759 - id: 3.6 760 text: "Verify that Security Context Constraints are applied to Your Pods and Containers" 761 type: "skip" 762 scored: false 763 764 - id: 3.7 765 text: "Manage certificate rotation" 766 audit_config: "cat /etc/origin/master/master-config.yaml" 767 tests: 768 test_items: 769 - path: "{.kubeletArguments.feature-gates.RotateKubeletServerCertificate}" 770 compare: 771 op: eq 772 value: "true" 773 remediation: | 774 If you decide not to enable the RotateKubeletServerCertificate feature, 775 be sure to use the Ansible playbooks provided with the OpenShift installer to 776 automate re-deploying certificates. 777 scored: true 778 779 780 - id: 4 781 text: "Configuration Files" 782 checks: 783 - id: 4.1 784 text: "Verify the OpenShift default permissions for the API server pod specification file" 785 audit: "stat -c permissions=%a /etc/origin/node/pods/apiserver.yaml" 786 tests: 787 test_items: 788 - flag: "permissions" 789 compare: 790 op: bitmask 791 value: "600" 792 remediation: | 793 Run the below command. 794 795 chmod 600 /etc/origin/node/pods/apiserver.yaml 796 scored: true 797 798 - id: 4.2 799 text: "Verify the OpenShift default file ownership for the API server pod specification file" 800 audit: "stat -c %U:%G /etc/origin/node/pods/apiserver.yaml" 801 tests: 802 test_items: 803 - flag: "root:root" 804 remediation: | 805 Run the below command on the master node. 806 807 chown root:root /etc/origin/node/pods/apiserver.yaml 808 scored: true 809 810 - id: 4.3 811 text: "Verify the OpenShift default file permissions for the controller manager pod specification file" 812 audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml" 813 tests: 814 test_items: 815 - flag: "permissions" 816 compare: 817 op: bitmask 818 value: "600" 819 remediation: | 820 Run the below command on the master node. 821 822 chmod 600 /etc/origin/node/pods/controller.yaml 823 scored: true 824 825 - id: 4.4 826 text: "Verify the OpenShift default ownership for the controller manager pod specification file" 827 audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml" 828 tests: 829 test_items: 830 - flag: "root:root" 831 remediation: | 832 Run the below command on the master node. 833 834 chown root:root /etc/origin/node/pods/controller.yaml 835 scored: true 836 837 - id: 4.5 838 text: "Verify the OpenShift default permissions for the scheduler pod specification file" 839 audit: "stat -c permissions=%a /etc/origin/node/pods/controller.yaml" 840 tests: 841 test_items: 842 - flag: "permissions" 843 compare: 844 op: bitmask 845 value: "600" 846 remediation: | 847 Run the below command. 848 849 chmod 600 stat -c permissions=%a /etc/origin/node/pods/controller.yaml 850 scored: true 851 852 - id: 4.6 853 text: "Verify the scheduler pod specification file ownership set by OpenShift" 854 audit: "stat -c %U:%G /etc/origin/node/pods/controller.yaml" 855 tests: 856 test_items: 857 - flag: "root:root" 858 remediation: | 859 Run the below command on the master node. 860 861 chown root:root /etc/origin/node/pods/controller.yaml 862 scored: true 863 864 - id: 4.7 865 text: "Verify the OpenShift default etcd pod specification file permissions" 866 audit: "stat -c permissions=%a /etc/origin/node/pods/etcd.yaml" 867 tests: 868 test_items: 869 - flag: "permissions" 870 compare: 871 op: bitmask 872 value: "600" 873 remediation: | 874 Run the below command. 875 876 chmod 600 /etc/origin/node/pods/etcd.yaml 877 scored: true 878 879 - id: 4.8 880 text: "Verify the OpenShift default etcd pod specification file ownership" 881 audit: "stat -c %U:%G /etc/origin/node/pods/etcd.yaml" 882 tests: 883 test_items: 884 - flag: "root:root" 885 remediation: | 886 Run the below command on the master node. 887 888 chown root:root /etc/origin/node/pods/etcd.yaml 889 scored: true 890 891 - id: 4.9 892 text: "Verify the default OpenShift Container Network Interface file permissions" 893 audit: "stat -c permissions=%a /etc/origin/openvswitch/ /etc/cni/net.d/" 894 use_multiple_values: true 895 tests: 896 test_items: 897 - flag: "permissions" 898 compare: 899 op: bitmask 900 value: "644" 901 remediation: | 902 Run the below command. 903 904 chmod 644 -R /etc/origin/openvswitch/ /etc/cni/net.d/ 905 scored: true 906 907 - id: 4.10 908 text: "Verify the default OpenShift Container Network Interface file ownership" 909 audit: "stat -c %U:%G /etc/origin/openvswitch/ /etc/cni/net.d/" 910 use_multiple_values: true 911 tests: 912 test_items: 913 - flag: "root:root" 914 remediation: | 915 Run the below command on the master node. 916 917 chown root:root /etc/origin/openvswitch/ /etc/cni/net.d/ 918 scored: true 919 920 - id: 4.11 921 text: "Verify the default OpenShift etcd data directory permissions" 922 audit: "stat -c permissions=%a /var/lib/etcd" 923 tests: 924 test_items: 925 - flag: "permissions" 926 compare: 927 op: bitmask 928 value: "700" 929 remediation: | 930 On the etcd server node, get the etcd data directory, passed as an argument --data-dir , 931 from the below command: 932 ps -ef | grep etcd 933 Run the below command (based on the etcd data directory found above). For example, 934 chmod 700 /var/lib/etcd 935 scored: true 936 937 - id: 4.12 938 text: "Verify the default OpenShift etcd data directory ownership" 939 audit: "stat -c %U:%G /var/lib/etcd" 940 tests: 941 test_items: 942 - flag: "etcd:etcd" 943 remediation: | 944 Run the below command on the master node. 945 946 chown etcd:etcd /var/lib/etcd 947 scored: true 948 949 - id: 4.13 950 text: "Verify the default OpenShift admin.conf file permissions" 951 audit: "stat -c permissions=%a /etc/origin/master/admin.kubeconfig" 952 tests: 953 test_items: 954 - flag: "permissions" 955 compare: 956 op: bitmask 957 value: "644" 958 remediation: | 959 Run the below command. 960 961 chmod 644 /etc/origin/master/admin.kubeconfig" 962 scored: true 963 964 - id: 4.14 965 text: "Verify the default OpenShift admin.conf file ownership" 966 audit: "stat -c %U:%G /etc/origin/master/admin.kubeconfig" 967 tests: 968 test_items: 969 - flag: "root:root" 970 remediation: | 971 Run the below command on the master node. 972 973 chown root:root /etc/origin/master/admin.kubeconfig 974 scored: true 975 976 - id: 4.15 977 text: "Verify the default OpenShift scheduler.conf file permissions" 978 audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig" 979 tests: 980 test_items: 981 - flag: "permissions" 982 compare: 983 op: bitmask 984 value: "644" 985 remediation: | 986 Run the below command. 987 988 chmod 644 /etc/origin/master/openshift-master.kubeconfig 989 scored: true 990 991 - id: 4.16 992 text: "Verify the default OpenShift scheduler.conf file ownership" 993 audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" 994 tests: 995 test_items: 996 - flag: "root:root" 997 remediation: | 998 Run the below command on the master node. 999 1000 chown root:root /etc/origin/master/openshift-master.kubeconfig 1001 scored: true 1002 1003 - id: 4.17 1004 text: "Verify the default Openshift controller-manager.conf file permissions" 1005 audit: "stat -c permissions=%a /etc/origin/master/openshift-master.kubeconfig" 1006 tests: 1007 test_items: 1008 - flag: "permissions" 1009 compare: 1010 op: bitmask 1011 value: "644" 1012 remediation: | 1013 Run the below command. 1014 1015 chmod 644 /etc/origin/master/openshift-master.kubeconfig 1016 scored: true 1017 1018 - id: 4.18 1019 text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" 1020 audit: "stat -c %U:%G /etc/origin/master/openshift-master.kubeconfig" 1021 tests: 1022 test_items: 1023 - flag: "root:root" 1024 compare: 1025 op: eq 1026 value: "root:root" 1027 set: true 1028 remediation: | 1029 Run the below command on the master node. 1030 1031 chown root:root /etc/origin/master/openshift-master.kubeconfig 1032 scored: true 1033 1034 1035 - id: 5 1036 text: "Etcd" 1037 checks: 1038 - id: 5.1 1039 text: "Verify the default OpenShift cert-file and key-file configuration" 1040 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CERT_FILE=/etc/etcd/server.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_KEY_FILE=/etc/etcd/server.key /proc/1/environ; grep ETCD_CERT_FILE=/etc/etcd/server.crt /etc/etcd/etcd.conf; grep ETCD_KEY_FILE=/etc/etcd/server.key /etc/etcd/etcd.conf'" 1041 tests: 1042 bin_op: and 1043 test_items: 1044 - flag: "Binary file /proc/1/environ matches" 1045 - flag: "ETCD_CERT_FILE" 1046 compare: 1047 op: eq 1048 value: "/etc/etcd/server.crt" 1049 - flag: "ETCD_KEY_FILE" 1050 compare: 1051 op: eq 1052 value: "/etc/etcd/server.key" 1053 remediation: | 1054 Reset to the OpenShift default configuration. 1055 scored: true 1056 1057 - id: 5.2 1058 text: "Verify the default OpenShift setting for the client-cert-auth argument" 1059 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" 1060 tests: 1061 bin_op: and 1062 test_items: 1063 - flag: "Binary file /proc/1/environ matches" 1064 - flag: "ETCD_CLIENT_CERT_AUTH" 1065 compare: 1066 op: eq 1067 value: "true" 1068 remediation: | 1069 Reset to the OpenShift default configuration. 1070 scored: true 1071 1072 - id: 5.3 1073 text: "Verify the OpenShift default values for etcd_auto_tls" 1074 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_AUTO_TLS /proc/1/environ; grep ETCD_AUTO_TLS /etc/etcd/etcd.conf'" 1075 tests: 1076 bin_op: or 1077 test_items: 1078 - flag: "ETCD_AUTO_TLS" 1079 compare: 1080 op: eq 1081 value: "false" 1082 remediation: | 1083 Reset to the OpenShift default configuration. 1084 scored: true 1085 1086 - id: 5.4 1087 text: "Verify the OpenShift default peer-cert-file and peer-key-file arguments for etcd" 1088 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CERT_FILE=/etc/etcd/peer.crt /proc/1/environ; /usr/local/bin/master-exec etcd etcd grep ETCD_PEER_KEY_FILE=/etc/etcd/peer.key /proc/1/environ; grep ETCD_PEER_CERT_FILE /etc/etcd/etcd.conf; grep ETCD_PEER_KEY_FILE /etc/etcd/etcd.conf'" 1089 tests: 1090 bin_op: and 1091 test_items: 1092 - flag: "Binary file /proc/1/environ matches" 1093 - flag: "ETCD_PEER_CERT_FILE" 1094 compare: 1095 op: eq 1096 value: "/etc/etcd/peer.crt" 1097 - flag: "ETCD_PEER_KEY_FILE" 1098 compare: 1099 op: eq 1100 value: "/etc/etcd/peer.key" 1101 remediation: | 1102 Reset to the OpenShift default configuration. 1103 scored: true 1104 1105 - id: 5.5 1106 text: "Verify the OpenShift default configuration for the peer-client-cert-auth" 1107 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_CLIENT_CERT_AUTH=true /proc/1/environ; grep ETCD_PEER_CLIENT_CERT_AUTH /etc/etcd/etcd.conf'" 1108 tests: 1109 bin_op: and 1110 test_items: 1111 - flag: "Binary file /proc/1/environ matches" 1112 - flag: "ETCD_PEER_CLIENT_CERT_AUTH" 1113 compare: 1114 op: eq 1115 value: "true" 1116 remediation: | 1117 Reset to the OpenShift default configuration. 1118 scored: true 1119 1120 - id: 5.6 1121 text: "Verify the OpenShift default configuration for the peer-auto-tls argument" 1122 audit: "/bin/sh -c '/usr/local/bin/master-exec etcd etcd grep ETCD_PEER_AUTO_TLS /proc/1/environ; grep ETCD_PEER_AUTO_TLS /etc/etcd/etcd.conf'" 1123 tests: 1124 test_items: 1125 - flag: "ETCD_PEER_AUTO_TLS" 1126 compare: 1127 op: noteq 1128 value: "true" 1129 remediation: | 1130 Reset to the OpenShift default configuration. 1131 scored: true 1132 1133 - id: 5.7 1134 text: "Optionally modify the wal-dir argument" 1135 type: "skip" 1136 scored: true 1137 1138 - id: 5.8 1139 text: "Optionally modify the max-wals argument" 1140 type: "skip" 1141 scored: true 1142 1143 - id: 5.9 1144 text: "Verify the OpenShift default configuration for the etcd Certificate Authority" 1145 audit: "openssl x509 -in /etc/origin/master/master.etcd-ca.crt -subject -issuer -noout | sed 's/@/ /'" 1146 tests: 1147 test_items: 1148 - flag: "issuer= /CN=etcd-signer" 1149 remediation: | 1150 Reset to the OpenShift default configuration. 1151 scored: false 1152 1153 1154 - id: 6 1155 text: "General Security Primitives" 1156 checks: 1157 - id: 6.1 1158 text: "Ensure that the cluster-admin role is only used where required" 1159 type: "manual" 1160 remediation: | 1161 [Manual test] 1162 Review users, groups, serviceaccounts bound to cluster-admin: 1163 oc get clusterrolebindings | grep cluster-admin 1164 1165 Review users and groups bound to cluster-admin and decide whether they require 1166 such access. Consider creating least-privilege roles for users and service accounts 1167 scored: false 1168 1169 - id: 6.2 1170 text: "Verify Security Context Constraints as in use" 1171 type: "manual" 1172 remediation: | 1173 [Manual test] 1174 Review Security Context Constraints: 1175 oc get scc 1176 1177 Use OpenShift's Security Context Constraint feature, which has been contributed 1178 to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. 1179 OpenShift ships with two SCCs: restricted and privileged. 1180 1181 The two default SCCs will be created when the master is started. The restricted 1182 SCC is granted to all authenticated users by default. 1183 1184 https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html" 1185 scored: false 1186 1187 - id: 6.3 1188 text: "Use OpenShift projects to maintain boundaries between resources" 1189 type: "manual" 1190 remediation: | 1191 [Manual test] 1192 Review projects: 1193 oc get projects 1194 scored: false 1195 1196 - id: 6.4 1197 text: "Create network segmentation using the Multi-tenant plugin or Network Policies" 1198 type: "manual" 1199 remediation: | 1200 [Manual test] 1201 Verify on masters the plugin being used: 1202 grep networkPluginName /etc/origin/master/master-config.yaml 1203 1204 OpenShift provides multi-tenant networking isolation (using Open vSwich and 1205 vXLAN), to segregate network traffic between containers belonging to different 1206 tenants (users or applications) while running on a shared cluster. Red Hat also 1207 works with 3rd-party SDN vendors to provide the same level of capabilities 1208 integrated with OpenShift. OpenShift SDN is included a part of OpenShift 1209 subscription. 1210 1211 OpenShift supports Kubernetes NetworkPolicy. Administrator must configure 1212 NetworkPolicies if desired. 1213 1214 https://docs.openshift.com/container-platform/3.10/architecture/networking/sdn.html#architecture-additional-concepts-sdn 1215 1216 Ansible Inventory variable: os_sdn_network_plugin_name: 1217 https://docs.openshift.com/container-platform/3.10/install/configuring_inventory_file.html 1218 scored: false 1219 1220 - id: 6.5 1221 text: "Enable seccomp and configure custom Security Context Constraints" 1222 type: "manual" 1223 remediation: | 1224 [Manual test] 1225 Verify SCCs that have been configured with seccomp: 1226 oc get scc -ocustom-columns=NAME:.metadata.name,SECCOMP-PROFILES:.seccompProfiles 1227 1228 OpenShift does not enable seccomp by default. To configure seccomp profiles that 1229 are applied to pods run by the SCC, follow the instructions in the 1230 documentation: 1231 1232 https://docs.openshift.com/container-platform/3.9/admin_guide/seccomp.html#admin-guide-seccomp 1233 scored: false 1234 1235 - id: 6.6 1236 text: "Review Security Context Constraints" 1237 type: "manual" 1238 remediation: | 1239 [Manual test] 1240 Review SCCs: 1241 oc describe scc 1242 1243 Use OpenShift's Security Context Constraint feature, which has been contributed 1244 to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. 1245 1246 OpenShift ships with two SCCs: restricted and privileged. The two default SCCs 1247 will be created when the master is started. The restricted SCC is granted to 1248 all authenticated users by default. 1249 1250 All pods are run under the restricted SCC by default. Running a pod under any 1251 other SCC requires an account with cluster admin capabilities to grant access 1252 for the service account. 1253 1254 SecurityContextConstraints limit what securityContext is applied to pods and 1255 containers. 1256 1257 https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html 1258 scored: false 1259 1260 - id: 6.7 1261 text: "Manage Image Provenance using ImagePolicyWebhook admission controller" 1262 type: "manual" 1263 remediation: | 1264 [Manual test] 1265 Review imagePolicyConfig in /etc/origin/master/master-config.yaml. 1266 scored: false 1267 1268 - id: 6.8 1269 text: "Configure Network policies as appropriate" 1270 type: "manual" 1271 remediation: | 1272 [Manual test] 1273 If ovs-networkplugin is used, review network policies: 1274 oc get networkpolicies 1275 1276 OpenShift supports Kubernetes NetworkPolicy via ovs-networkpolicy plugin. 1277 If choosing ovs-multitenant plugin, each namespace is isolated in its own 1278 netnamespace by default. 1279 scored: false 1280 1281 - id: 6.9 1282 text: "Use Security Context Constraints as compensating controls for privileged containers" 1283 type: "manual" 1284 remediation: | 1285 [Manual test] 1286 1) Determine all sccs allowing privileged containers: 1287 oc get scc -ocustom-columns=NAME:.metadata.name,ALLOWS_PRIVILEGED:.allowPrivilegedContainer 1288 2) Review users and groups assigned to sccs allowing priviliged containers: 1289 oc describe sccs <from (1)> 1290 1291 Use OpenShift's Security Context Constraint feature, which has been contributed 1292 to Kubernetes as Pod Security Policies. PSPs are still beta in Kubernetes 1.10. 1293 1294 OpenShift ships with two SCCs: restricted and privileged. The two default SCCs 1295 will be created when the master is started. The restricted SCC is granted to all 1296 authenticated users by default. 1297 1298 Similar scenarios are documented in the SCC 1299 documentation, which outlines granting SCC access to specific serviceaccounts. 1300 Administrators may create least-restrictive SCCs based on individual container 1301 needs. 1302 1303 For example, if a container only requires running as the root user, the anyuid 1304 SCC can be used, which will not expose additional access granted by running 1305 privileged containers. 1306 1307 https://docs.openshift.com/container-platform/3.10/admin_guide/manage_scc.html 1308 scored: false