github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-0.7/node.yaml (about) 1 --- 2 controls: 3 version: "rh-0.7" 4 id: 2 5 text: "Worker Node Security Configuration" 6 type: "node" 7 groups: 8 - id: 7 9 text: "Kubelet" 10 checks: 11 - id: 7.1 12 text: "Use Security Context Constraints to manage privileged containers as needed" 13 type: "skip" 14 scored: true 15 16 - id: 7.2 17 text: "Ensure anonymous-auth is not disabled" 18 type: "skip" 19 scored: true 20 21 - id: 7.3 22 text: "Verify that the --authorization-mode argument is set to WebHook" 23 audit_config: "cat /etc/origin/node/node-config.yaml" 24 tests: 25 bin_op: or 26 test_items: 27 - path: "{.kubeletArguments.authorization-mode}" 28 set: false 29 - path: "{.kubeletArguments.authorization-mode}" 30 compare: 31 op: has 32 value: "Webhook" 33 remediation: | 34 Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under 35 kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook". 36 scored: true 37 38 - id: 7.4 39 text: "Verify the OpenShift default for the client-ca-file argument" 40 audit_config: "cat /etc/origin/node/node-config.yaml" 41 tests: 42 test_items: 43 - path: "{.PodManifestConfig.client-ca-file}" 44 set: false 45 remediation: | 46 Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following: 47 grep -A1 client-ca-file /etc/origin/node/node-config.yaml 48 49 Reset to the OpenShift default. 50 See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65 51 The config file does not have this defined in kubeletArgument, but in PodManifestConfig. 52 scored: true 53 54 - id: 7.5 55 text: "Verify the OpenShift default setting for the read-only-port argument" 56 audit_config: "cat /etc/origin/node/node-config.yaml" 57 tests: 58 bin_op: or 59 test_items: 60 - path: "{.kubeletArguments.read-only-port}" 61 set: false 62 - path: "{.kubeletArguments.read-only-port}" 63 compare: 64 op: eq 65 value: "0" 66 remediation: | 67 Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied. 68 scored: true 69 70 - id: 7.6 71 text: "Adjust the streaming-connection-idle-timeout argument" 72 audit_config: "cat /etc/origin/node/node-config.yaml" 73 tests: 74 bin_op: or 75 test_items: 76 - path: "{.kubeletArguments.streaming-connection-idle-timeout}" 77 set: false 78 - path: "{.kubeletArguments.streaming-connection-idle-timeout}" 79 compare: 80 op: eq 81 value: "5m" 82 remediation: | 83 Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout 84 value like the following in node-config.yaml. 85 86 kubeletArguments: 87 streaming-connection-idle-timeout: 88 - "5m" 89 scored: true 90 91 - id: 7.7 92 text: "Verify the OpenShift defaults for the protect-kernel-defaults argument" 93 type: "skip" 94 scored: true 95 96 - id: 7.8 97 text: "Verify the OpenShift default value of true for the make-iptables-util-chains argument" 98 audit_config: "cat /etc/origin/node/node-config.yaml" 99 tests: 100 bin_op: or 101 test_items: 102 - path: "{.kubeletArguments.make-iptables-util-chains}" 103 set: false 104 - path: "{.kubeletArguments.make-iptables-util-chains}" 105 compare: 106 op: eq 107 value: "true" 108 remediation: | 109 Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift 110 default value of true. 111 scored: true 112 113 - id: 7.9 114 text: "Verify that the --keep-terminated-pod-volumes argument is set to false" 115 audit_config: "cat /etc/origin/node/node-config.yaml" 116 tests: 117 bin_op: or 118 test_items: 119 - path: "{.kubeletArguments.keep-terminated-pod-volumes}" 120 set: false 121 - path: "{.kubeletArguments.keep-terminated-pod-volumes}" 122 compare: 123 op: eq 124 value: "false" 125 remediation: | 126 Reset to the OpenShift defaults 127 scored: true 128 129 - id: 7.10 130 text: "Verify the OpenShift defaults for the hostname-override argument" 131 type: "skip" 132 scored: true 133 134 - id: 7.11 135 text: "Set the --event-qps argument to 0" 136 audit_config: "cat /etc/origin/node/node-config.yaml" 137 tests: 138 bin_op: or 139 test_items: 140 - path: "{.kubeletArguments.event-qps}" 141 set: false 142 - path: "{.kubeletArguments.event-qps}" 143 compare: 144 op: eq 145 value: "0" 146 remediation: | 147 Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in 148 the kubeletArguments section of. 149 scored: true 150 151 - id: 7.12 152 text: "Verify the OpenShift cert-dir flag for HTTPS traffic" 153 audit_config: "cat /etc/origin/node/node-config.yaml" 154 tests: 155 test_items: 156 - path: "{.kubeletArguments.cert-dir}" 157 compare: 158 op: has 159 value: "/etc/origin/node/certificates" 160 remediation: | 161 Reset to the OpenShift default values. 162 scored: true 163 164 - id: 7.13 165 text: "Verify the OpenShift default of 0 for the cadvisor-port argument" 166 audit_config: "cat /etc/origin/node/node-config.yaml" 167 tests: 168 bin_op: or 169 test_items: 170 - path: "{.kubeletArguments.cadvisor-port}" 171 set: false 172 - path: "{.kubeletArguments.cadvisor-port}" 173 compare: 174 op: eq 175 value: "0" 176 remediation: | 177 Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag 178 if it is set in the kubeletArguments section. 179 scored: true 180 181 - id: 7.14 182 text: "Verify that the RotateKubeletClientCertificate argument is set to true" 183 audit_config: "cat /etc/origin/node/node-config.yaml" 184 tests: 185 test_items: 186 - path: "{.kubeletArguments.feature-gates}" 187 compare: 188 op: has 189 value: "RotateKubeletClientCertificate=true" 190 remediation: | 191 Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true. 192 scored: true 193 194 - id: 7.15 195 text: "Verify that the RotateKubeletServerCertificate argument is set to true" 196 audit_config: "cat /etc/origin/node/node-config.yaml" 197 tests: 198 test_items: 199 - path: "{.kubeletArguments.feature-gates}" 200 compare: 201 op: has 202 value: "RotateKubeletServerCertificate=true" 203 remediation: | 204 Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true. 205 scored: true 206 207 208 - id: 8 209 text: "Configuration Files" 210 checks: 211 - id: 8.1 212 text: "Verify the OpenShift default permissions for the kubelet.conf file" 213 audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" 214 tests: 215 test_items: 216 - flag: "permissions" 217 compare: 218 op: bitmask 219 value: "644" 220 remediation: | 221 Run the below command on each worker node. 222 chmod 644 /etc/origin/node/node.kubeconfig 223 scored: true 224 225 - id: 8.2 226 text: "Verify the kubeconfig file ownership of root:root" 227 audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" 228 tests: 229 test_items: 230 - flag: "root:root" 231 remediation: | 232 Run the below command on each worker node. 233 chown root:root /etc/origin/node/node.kubeconfig 234 scored: true 235 236 - id: 8.3 237 text: "Verify the kubelet service file permissions of 644" 238 audit: "stat -c permissions=%a $kubeletsvc" 239 tests: 240 test_items: 241 - flag: "permissions" 242 compare: 243 op: bitmask 244 value: "644" 245 remediation: | 246 Run the below command on each worker node. 247 chmod 644 $kubeletsvc 248 scored: true 249 250 - id: 8.4 251 text: "Verify the kubelet service file ownership of root:root" 252 audit: "stat -c %U:%G $kubeletsvc" 253 tests: 254 test_items: 255 - flag: "root:root" 256 remediation: | 257 Run the below command on each worker node. 258 chown root:root $kubeletsvc 259 scored: true 260 261 - id: 8.5 262 text: "Verify the OpenShift default permissions for the proxy kubeconfig file" 263 audit: "stat -c permissions=%a /etc/origin/node/node.kubeconfig" 264 tests: 265 test_items: 266 - flag: "permissions" 267 compare: 268 op: bitmask 269 value: "644" 270 remediation: | 271 Run the below command on each worker node. 272 chmod 644 /etc/origin/node/node.kubeconfig 273 scored: true 274 275 - id: 8.6 276 text: "Verify the proxy kubeconfig file ownership of root:root" 277 audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig" 278 tests: 279 test_items: 280 - flag: "root:root" 281 remediation: | 282 Run the below command on each worker node. 283 chown root:root /etc/origin/node/node.kubeconfig 284 scored: true 285 286 - id: 8.7 287 text: "Verify the OpenShift default permissions for the certificate authorities file." 288 audit: "stat -c permissions=%a /etc/origin/node/client-ca.crt" 289 tests: 290 test_items: 291 - flag: "permissions" 292 compare: 293 op: bitmask 294 value: "644" 295 remediation: | 296 Run the below command on each worker node. 297 chmod 644 /etc/origin/node/client-ca.crt 298 scored: true 299 300 - id: 8.8 301 text: "Verify the client certificate authorities file ownership of root:root" 302 audit: "stat -c %U:%G /etc/origin/node/client-ca.crt" 303 tests: 304 test_items: 305 - flag: "root:root" 306 remediation: | 307 Run the below command on each worker node. 308 chown root:root /etc/origin/node/client-ca.crt 309 scored: true