github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-1.0/controlplane.yaml

github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-1.0/controlplane.yaml (about)

     1  ---
     2  controls:
     3  version: rh-1.0
     4  id: 3
     5  text: "Control Plane Configuration"
     6  type: "controlplane"
     7  groups:
     8    - id: 3.1
     9      text: "Authentication and Authorization"
    10      checks:
    11        - id: 3.1.1
    12          text: "Client certificate authentication should not be used for users (Manual)"
    13          audit: |
    14            # To verify user authentication is enabled
    15            oc describe authentication
    16            # To verify that an identity provider is configured
    17            oc get identity
    18            # To verify that a custom cluster-admin user exists
    19            oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User
    20            # To verity that kbueadmin is removed, no results should be returned
    21            oc get secrets kubeadmin -n kube-system
    22          type: manual
    23          remediation: |
    24            Configure an identity provider for the OpenShift cluster.
    25            Understanding identity provider configuration | Authentication | OpenShift
    26            Container Platform 4.5. Once an identity provider has been defined,
    27            you can use RBAC to define and apply permissions.
    28            After you define an identity provider and create a new cluster-admin user,
    29            remove the kubeadmin user to improve cluster security.
    30          scored: false
    31  
    32    - id: 3.2
    33      text: "Logging"
    34      checks:
    35        - id: 3.2.1
    36          text: "Ensure that a minimal audit policy is created (Manual)"
    37          audit: |
    38            #To view kube apiserver log files
    39            oc adm node-logs --role=master --path=kube-apiserver/
    40            #To view openshift apiserver log files
    41            oc adm node-logs --role=master --path=openshift-apiserver/
    42            #To verify kube apiserver audit config
    43            oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
    44            #To verify openshift apiserver audit config
    45            oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
    46          type: manual
    47          remediation: |
    48            No remediation required.
    49          scored: false
    50  
    51        - id: 3.2.2
    52          text: "Ensure that the audit policy covers key security concerns (Manual)"
    53          audit: |
    54            #To verify openshift apiserver audit config
    55            oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
    56            #To verify kube apiserver audit config
    57            oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
    58          type: manual
    59          remediation: |
    60            In OpenShift 4.6 and higher, if appropriate for your needs,
    61            modify the audit policy.
    62          scored: false