github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/rh-1.0/policies.yaml (about) 1 --- 2 controls: 3 version: rh-1.0 4 id: 5 5 text: "Kubernetes Policies" 6 type: "policies" 7 groups: 8 - id: 5.1 9 text: "RBAC and Service Accounts" 10 checks: 11 - id: 5.1.1 12 text: "Ensure that the cluster-admin role is only used where required (Manual)" 13 type: "manual" 14 remediation: | 15 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 16 if they need this role or if they could use a role with fewer privileges. 17 Where possible, first bind users to a lower privileged role and then remove the 18 clusterrolebinding to the cluster-admin role : 19 kubectl delete clusterrolebinding [name] 20 scored: false 21 22 - id: 5.1.2 23 text: "Minimize access to secrets (Manual)" 24 type: "manual" 25 remediation: | 26 Where possible, remove get, list and watch access to secret objects in the cluster. 27 scored: false 28 29 - id: 5.1.3 30 text: "Minimize wildcard use in Roles and ClusterRoles (Manual)" 31 type: "manual" 32 remediation: | 33 Where possible replace any use of wildcards in clusterroles and roles with specific 34 objects or actions. 35 scored: false 36 37 - id: 5.1.4 38 text: "Minimize access to create pods (Manual)" 39 type: "manual" 40 remediation: | 41 Where possible, remove create access to pod objects in the cluster. 42 scored: false 43 44 - id: 5.1.5 45 text: "Ensure that default service accounts are not actively used. (Manual)" 46 type: "manual" 47 remediation: | 48 None required. 49 scored: false 50 51 - id: 5.1.6 52 text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)" 53 type: "manual" 54 remediation: | 55 Modify the definition of pods and service accounts which do not need to mount service 56 account tokens to disable it. 57 scored: false 58 59 - id: 5.2 60 text: "Pod Security Policies" 61 checks: 62 - id: 5.2.1 63 text: "Minimize the admission of privileged containers (Manual)" 64 audit: | 65 # needs verification 66 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 67 do 68 echo "$i"; oc describe scc $i | grep "Allow Privileged"; 69 done 70 tests: 71 test_items: 72 - flag: "false" 73 remediation: | 74 Create a SCC as described in the OpenShift documentation, ensuring that the Allow 75 Privileged field is set to false. 76 scored: false 77 78 - id: 5.2.2 79 text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" 80 audit: | 81 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 82 do 83 echo "$i"; oc describe scc $i | grep "Allow Host PID"; 84 done 85 tests: 86 test_items: 87 - flag: "false" 88 remediation: | 89 Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host 90 PID field is set to false. 91 scored: false 92 93 - id: 5.2.3 94 text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" 95 audit: | 96 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 97 do 98 echo "$i"; oc describe scc $i | grep "Allow Host IPC"; 99 done 100 tests: 101 test_items: 102 - flag: "false" 103 remediation: | 104 Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host 105 IPC field is set to false. 106 scored: false 107 108 - id: 5.2.4 109 text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" 110 audit: | 111 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 112 do 113 echo "$i"; oc describe scc $i | grep "Allow Host Network"; 114 done 115 tests: 116 test_items: 117 - flag: "false" 118 remediation: | 119 Create a SCC as described in the OpenShift documentation, ensuring that the Allow Host 120 Network field is omitted or set to false. 121 scored: false 122 123 - id: 5.2.5 124 text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" 125 audit: | 126 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 127 do 128 echo "$i"; oc describe scc $i | grep "Allow Privilege Escalation"; 129 done 130 tests: 131 test_items: 132 - flag: "false" 133 remediation: | 134 Create a SCC as described in the OpenShift documentation, ensuring that the Allow 135 Privilege Escalation field is omitted or set to false. 136 scored: false 137 138 - id: 5.2.6 139 text: "Minimize the admission of root containers (Manual)" 140 audit: | 141 # needs verification 142 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 143 do 144 echo "$i"; 145 oc describe scc $i | grep "Run As User Strategy"; 146 done 147 #For SCCs with MustRunAs verify that the range of UIDs does not include 0 148 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 149 do 150 echo "$i"; 151 oc describe scc $i | grep "\sUID"; 152 done 153 tests: 154 bin_op: or 155 test_items: 156 - flag: "MustRunAsNonRoot" 157 - flag: "MustRunAs" 158 compare: 159 op: nothave 160 value: 0 161 remediation: | 162 None required. By default, OpenShift includes the non-root SCC with the the Run As User 163 Strategy is set to either MustRunAsNonRoot. If additional SCCs are appropriate, follow the 164 OpenShift documentation to create custom SCCs. 165 scored: false 166 167 - id: 5.2.7 168 text: "Minimize the admission of containers with the NET_RAW capability (Manual)" 169 audit: | 170 # needs verification 171 for i in `oc get scc --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'`; 172 do 173 echo "$i"; 174 oc describe scc $i | grep "Required Drop Capabilities"; 175 done 176 tests: 177 bin_op: or 178 test_items: 179 - flag: "ALL" 180 - flag: "NET_RAW" 181 remediation: | 182 Create a SCC as described in the OpenShift documentation, ensuring that the Required 183 Drop Capabilities is set to include either NET_RAW or ALL. 184 scored: false 185 186 - id: 5.2.8 187 text: "Minimize the admission of containers with added capabilities (Manual)" 188 type: "manual" 189 remediation: | 190 Ensure that Allowed Capabilities is set to an empty array for every SCC in the cluster 191 except for the privileged SCC. 192 scored: false 193 194 - id: 5.2.9 195 text: "Minimize the admission of containers with capabilities assigned (Manual)" 196 type: "manual" 197 remediation: | 198 Review the use of capabilites in applications running on your cluster. Where a namespace 199 contains applicaions which do not require any Linux capabities to operate consider 200 adding a SCC which forbids the admission of containers which do not drop all capabilities. 201 scored: false 202 203 - id: 5.3 204 text: "Network Policies and CNI" 205 checks: 206 - id: 5.3.1 207 text: "Ensure that the CNI in use supports Network Policies (Manual)" 208 type: "manual" 209 remediation: | 210 None required. 211 scored: false 212 213 - id: 5.3.2 214 text: "Ensure that all Namespaces have Network Policies defined (Manual)" 215 type: "manual" 216 remediation: | 217 Follow the documentation and create NetworkPolicy objects as you need them. 218 scored: false 219 220 - id: 5.4 221 text: "Secrets Management" 222 checks: 223 - id: 5.4.1 224 text: "Prefer using secrets as files over secrets as environment variables (Manual)" 225 type: "manual" 226 remediation: | 227 If possible, rewrite application code to read secrets from mounted secret files, rather than 228 from environment variables. 229 scored: false 230 231 - id: 5.4.2 232 text: "Consider external secret storage (Manual)" 233 type: "manual" 234 remediation: | 235 Refer to the secrets management options offered by your cloud provider or a third-party 236 secrets management solution. 237 scored: false 238 239 - id: 5.5 240 text: "Extensible Admission Control" 241 checks: 242 - id: 5.5.1 243 text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 244 type: "manual" 245 remediation: | 246 Follow the OpenShift documentation: [Image configuration resources](https://docs.openshift.com/container-platform/4.5/openshift_images/image-configuration.html 247 scored: false 248 249 - id: 5.7 250 text: "General Policies" 251 checks: 252 - id: 5.7.1 253 text: "Create administrative boundaries between resources using namespaces (Manual)" 254 type: "manual" 255 remediation: | 256 Follow the documentation and create namespaces for objects in your deployment as you need 257 them. 258 scored: false 259 260 - id: 5.7.2 261 text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" 262 type: "manual" 263 remediation: | 264 To enable the default seccomp profile, use the reserved value /runtime/default that will 265 make sure that the pod uses the default policy available on the host. 266 scored: false 267 268 - id: 5.7.3 269 text: "Apply Security Context to Your Pods and Containers (Manual)" 270 type: "manual" 271 remediation: | 272 Follow the Kubernetes documentation and apply security contexts to your pods. For a 273 suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker 274 Containers. 275 scored: false 276 277 - id: 5.7.4 278 text: "The default namespace should not be used (Manual)" 279 type: "manual" 280 remediation: | 281 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 282 resources and that all new resources are created in a specific namespace. 283 scored: false