Skip to content

Commit

Permalink
Merge branch 'main' into dependabot/go_modules/github.com/aws/aws-sdk…
Browse files Browse the repository at this point in the history 
…-go-v2/service/securityhub-1.53.3
  • Loading branch information
@afdesk
afdesk authored Sep 30, 2024
2 parents 448a23a + 674d8e8 commit eb22797
Show file tree
Hide file tree
Showing 6 changed files with 47 additions and 14 deletions.
7 changes: 3 additions & 4 deletions cfg/cis-1.7/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,16 +345,15 @@ groups:
text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: have
op: has
value: "DenyServiceExternalIPs"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and remove the `DenyServiceExternalIPs`
from enabled admission plugins.
on the control plane node and add the `DenyServiceExternalIPs` plugin
to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
scored: false

- id: 1.2.4
Expand Down
7 changes: 3 additions & 4 deletions cfg/cis-1.8/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,16 +345,15 @@ groups:
text: "Ensure that the --DenyServiceExternalIPs is set (Manual)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: have
op: has
value: "DenyServiceExternalIPs"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and remove the `DenyServiceExternalIPs`
from enabled admission plugins.
on the control plane node and add the `DenyServiceExternalIPs` plugin
to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
scored: false

- id: 1.2.4
Expand Down
2 changes: 2 additions & 0 deletions cfg/cis-1.9/controlplane.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,15 @@ groups:
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false

- id: 3.1.2
text: "Service account token authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of service account tokens.
scored: false

- id: 3.1.3
text: "Bootstrap token authentication should not be used for users (Manual)"
type: "manual"
Expand Down
6 changes: 3 additions & 3 deletions cfg/cis-1.9/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -360,12 +360,12 @@ groups:
test_items:
- flag: "--enable-admission-plugins"
compare:
op: have
op: has
value: "DenyServiceExternalIPs"
remediation: |
Edit the API server pod specification file $apiserverconf
on the control plane node and remove the `DenyServiceExternalIPs`
from enabled admission plugins.
on the control plane node and add the `DenyServiceExternalIPs` plugin
to the enabled admission plugins, as such --enable-admission-plugin=DenyServiceExternalIPs.
scored: false

- id: 1.2.4
Expand Down
37 changes: 35 additions & 2 deletions cfg/cis-1.9/policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ groups:
else
is_compliant="true"
fi;
echo "**role_name: ${role_name} role_binding: ${rolebinding} subject: ${subject} is_compliant: ${is_compliant}"
echo "**role_name: ${role_name} role_binding: ${role_binding} subject: ${subject} is_compliant: ${is_compliant}"
done
use_multiple_values: true
tests:
Expand All @@ -34,6 +34,7 @@ groups:
clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
scored: true

- id: 5.1.2
text: "Minimize access to secrets (Automated)"
audit: "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\""
Expand All @@ -46,6 +47,7 @@ groups:
remediation: |
Where possible, remove get, list and watch access to Secret objects in the cluster.
scored: true

- id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
audit: |
Expand Down Expand Up @@ -92,6 +94,7 @@ groups:
Condition: role_is_compliant is false if ["*"] is found in rules.
Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
scored: true

- id: 5.1.4
text: "Minimize access to create pods (Automated)"
audit: |
Expand All @@ -106,7 +109,7 @@ groups:
Where possible, remove create access to pod objects in the cluster.
scored: true
- id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Automated)"
text: "Ensure that default service accounts are not actively used (Automated)"
audit: |
kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1
use_multiple_values: true
Expand All @@ -123,6 +126,7 @@ groups:
Modify the configuration of each default service account to include this value
`automountServiceAccountToken: false`.
scored: true

- id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
audit: |
Expand Down Expand Up @@ -155,48 +159,56 @@ groups:
- ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
- ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
scored: true

- id: 5.1.7
text: "Avoid use of system:masters group (Manual)"
type: "manual"
remediation: |
Remove the system:masters group from all users in the cluster.
scored: false

- id: 5.1.8
text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
type: "manual"
remediation: |
Where possible, remove the impersonate, bind and escalate rights from subjects.
scored: false

- id: 5.1.9
text: "Minimize access to create persistent volumes (Manual)"
type: "manual"
remediation: |
Where possible, remove create access to PersistentVolume objects in the cluster.
scored: false

- id: 5.1.10
text: "Minimize access to the proxy sub-resource of nodes (Manual)"
type: "manual"
remediation: |
Where possible, remove access to the proxy sub-resource of node objects.
scored: false

- id: 5.1.11
text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"
type: "manual"
remediation: |
Where possible, remove access to the approval sub-resource of certificatesigningrequest objects.
scored: false

- id: 5.1.12
text: "Minimize access to webhook configuration objects (Manual)"
type: "manual"
remediation: |
Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects
scored: false

- id: 5.1.13
text: "Minimize access to the service account token creation (Manual)"
type: "manual"
remediation: |
Where possible, remove access to the token sub-resource of serviceaccount objects.
scored: false

- id: 5.2
text: "Pod Security Standards"
checks:
Expand All @@ -207,62 +219,71 @@ groups:
Ensure that either Pod Security Admission or an external policy control system is in place
for every namespace which contains user workloads.
scored: false

- id: 5.2.2
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of privileged containers.
scored: false

- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostPID` containers.
scored: false

- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostIPC` containers.
scored: false

- id: 5.2.5
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostNetwork` containers.
scored: false

- id: 5.2.6
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
scored: false

- id: 5.2.7
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot`
or `MustRunAs` with the range of UIDs not including 0, is set.
scored: false

- id: 5.2.8
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with the `NET_RAW` capability.
scored: false

- id: 5.2.9
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Ensure that `allowedCapabilities` is not present in policies for the cluster unless
it is set to an empty array.
scored: false

- id: 5.2.10
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
Expand All @@ -271,27 +292,31 @@ groups:
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false

- id: 5.2.11
text: "Minimize the admission of Windows HostProcess containers (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`.
scored: false

- id: 5.2.12
text: "Minimize the admission of HostPath volumes (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `hostPath` volumes.
scored: false

- id: 5.2.13
text: "Minimize the admission of containers which use HostPorts (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use `hostPort` sections.
scored: false

- id: 5.3
text: "Network Policies and CNI"
checks:
Expand All @@ -303,12 +328,14 @@ groups:
making use of a different plugin, or finding an alternate mechanism for restricting traffic
in the Kubernetes cluster.
scored: false

- id: 5.3.2
text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)"
type: "manual"
remediation: |
Follow the documentation and create NetworkPolicy objects as you need them.
scored: false

- id: 5.4
text: "Secrets Management"
checks:
Expand All @@ -319,13 +346,15 @@ groups:
If possible, rewrite application code to read Secrets from mounted secret files, rather than
from environment variables.
scored: false

- id: 5.4.2
text: "Consider external secret storage (Manual)"
type: "manual"
remediation: |
Refer to the Secrets management options offered by your cloud provider or a third-party
secrets management solution.
scored: false

- id: 5.5
text: "Extensible Admission Control"
checks:
Expand All @@ -335,6 +364,7 @@ groups:
remediation: |
Follow the Kubernetes documentation and setup image provenance.
scored: false

- id: 5.7
text: "General Policies"
checks:
Expand All @@ -345,6 +375,7 @@ groups:
Follow the documentation and create namespaces for objects in your deployment as you need
them.
scored: false

- id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"
type: "manual"
Expand All @@ -355,6 +386,7 @@ groups:
seccompProfile:
type: RuntimeDefault
scored: false

- id: 5.7.3
text: "Apply SecurityContext to your Pods and Containers (Manual)"
type: "manual"
Expand All @@ -363,6 +395,7 @@ groups:
suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker
Containers.
scored: false

- id: 5.7.4
text: "The default namespace should not be used (Manual)"
type: "manual"
Expand Down
2 changes: 1 addition & 1 deletion docs/running.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutabilit
git clone https://github.com/aquasecurity/kube-bench.git
cd kube-bench
aws ecr get-login-password --region <AWS_REGION> | docker login --username AWS --password-stdin <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com
docker build -t k8s/kube-bench .
make build-docker IMAGE_NAME=k8s/kube-bench
docker tag k8s/kube-bench:latest <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:latest
```
Expand Down

0 comments on commit eb22797

Please sign in to comment.