-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CIS OpenShift 1.6 Benchmark #1682
Open
deebhatia
wants to merge
13
commits into
aquasecurity:main
Choose a base branch
from
VoerEirAB:cis-openshift-1-6
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
0a77022
Add support for CIS Openshift 1.6
deebhatia 71fdfba
Update all TCs in node.yaml
deebhatia a275890
Update all TCs in etcd.yaml
deebhatia a2b4169
Update all TCs in policies.yaml; fix command in rh-1.0 as well
deebhatia a5e5c98
Update all TCs in master.yaml
deebhatia 16501fc
Fixes for node TCs
deebhatia f82dff9
Fixes for node and etcd TCs
deebhatia 3fdbae5
Revert incorrect changes done in rh-1.0 etcd TCs
deebhatia df86977
Add fixes in master TCs and docs
deebhatia 129ca6a
Add fixes in node and etcd TCs
deebhatia bd5fd72
Fix test
deebhatia d2041f5
Add job template for OCP
deebhatia ac899d1
Add accidentally removed gke entry
deebhatia File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| --- | ||
| ## Version-specific settings that override the values in cfg/config.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| --- | ||
| controls: | ||
| version: rh-1.6 | ||
| id: 3 | ||
| text: "Control Plane Configuration" | ||
| type: "controlplane" | ||
| groups: | ||
| - id: 3.1 | ||
| text: "Authentication and Authorization" | ||
| checks: | ||
| - id: 3.1.1 | ||
| text: "Client certificate authentication should not be used for users (Manual)" | ||
| audit: | | ||
| # To verify user authentication is enabled | ||
| oc describe authentication | ||
| # To verify that an identity provider is configured | ||
| oc get oauth -o json | jq '.items[].spec.identityProviders' | ||
| # To verify that a custom cluster-admin user exists | ||
| oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User | ||
| # To verity that kbueadmin is removed, no results should be returned | ||
| oc get secrets kubeadmin -n kube-system | ||
| type: manual | ||
| remediation: | | ||
| Configure an identity provider for the OpenShift cluster. | ||
| Understanding identity provider configuration | Authentication | OpenShift | ||
| Container Platform 4.15. Once an identity provider has been defined, | ||
| you can use RBAC to define and apply permissions. | ||
| After you define an identity provider and create a new cluster-admin user, | ||
| remove the kubeadmin user to improve cluster security. | ||
| scored: false | ||
|
|
||
| - id: 3.2 | ||
| text: "Logging" | ||
| checks: | ||
| - id: 3.2.1 | ||
| text: "Ensure that a minimal audit policy is created (Manual)" | ||
| audit: | | ||
| #View the audit log profile | ||
| oc get apiserver cluster -o json | jq .spec.audit.profile | ||
| #To verify kube apiserver audit config | ||
| oc get cm -n openshift-kube-apiserver config -o json | jq -r '.data."config.yaml"' | jq .apiServerArguments | ||
| #To verify openshift apiserver audit config | ||
| oc get cm -n openshift-apiserver config -o json | jq -r '.data."config.yaml"' | jq .apiServerArguments | ||
| #Review the audit policies of openshift apiserver | ||
| oc get cm -n openshift-apiserver audit -o json | jq -r '.data."policy.yaml"' | ||
| #Review the audit policies of kube apiserver | ||
| oc get cm -n openshift-kube-apiserver kube-apiserver-audit-policies -o json | jq -r '.data."policy.yaml"' | ||
| #To view kube apiserver log files | ||
| oc adm node-logs --role=master --path=kube-apiserver/ | ||
| #To view openshift apiserver log files | ||
| oc adm node-logs --role=master --path=openshift-apiserver/ | ||
| type: manual | ||
| remediation: | | ||
| No remediation required. | ||
| scored: false | ||
|
|
||
| - id: 3.2.2 | ||
| text: "Ensure that the audit policy covers key security concerns (Manual)" | ||
| audit: | | ||
| #To verify openshift apiserver audit config | ||
| oc get configmap -n openshift-kube-apiserver kube-apiserver-audit-policies -ojson | jq -r '.data."policy.yaml"' | ||
| #To verify kube apiserver audit config | ||
| oc get configmap -n openshift-apiserver audit -o json | jq -r '.data."policy.yaml"' | ||
| type: manual | ||
| remediation: | | ||
| Update the audit log policy profile to use WriteRequestBodies. | ||
| scored: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,185 @@ | ||
| --- | ||
| controls: | ||
| version: rh-1.6 | ||
| id: 2 | ||
| text: "Etcd Node Configuration" | ||
| type: "etcd" | ||
| groups: | ||
| - id: 2 | ||
| text: "Etcd Node Configuration Files" | ||
| checks: | ||
| - id: 2.1 | ||
| text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)" | ||
| audit: | | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/' | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/' | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "file" | ||
| compare: | ||
| op: regex | ||
| # some systems have certs in directory '/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs' | ||
| value: \/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(?:serving|certs)\/etcd-serving-.*\.(?:crt|key) | ||
| remediation: | | ||
| OpenShift does not use the etcd-certfile or etcd-keyfile flags. | ||
| Certificates for etcd are managed by the etcd cluster operator. | ||
| scored: false | ||
|
|
||
| - id: 2.2 | ||
| text: "Ensure that the --client-cert-auth argument is set to true (Manual)" | ||
| audit: | | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/' | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "--client-cert-auth" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| remediation: | | ||
| This setting is managed by the cluster etcd operator. No remediation required." | ||
| scored: false | ||
|
|
||
| - id: 2.3 | ||
| text: "Ensure that the --auto-tls argument is not set to true (Manual)" | ||
| audit: | | ||
| # Returns 0 if found, 1 if not found | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$? | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "exit_code" | ||
| compare: | ||
| op: eq | ||
| value: "1" | ||
| remediation: | | ||
| This setting is managed by the cluster etcd operator. No remediation required. | ||
| scored: false | ||
|
|
||
| - id: 2.4 | ||
| text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)" | ||
| audit: | | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/' | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/' | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "file" | ||
| compare: | ||
| op: regex | ||
| # some systems have certs in directory '/etc/kubernetes/static-pod-certs/secrets/etcd-all-certs' | ||
| value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(?:peer|certs)\/etcd-peer-.*\.(?:crt|key)' | ||
| remediation: | | ||
| None. This configuration is managed by the etcd operator. | ||
| scored: false | ||
|
|
||
| - id: 2.5 | ||
| text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)" | ||
| audit: | | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/' | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "--peer-client-cert-auth" | ||
| compare: | ||
| op: eq | ||
| value: true | ||
| remediation: | | ||
| This setting is managed by the cluster etcd operator. No remediation required. | ||
| scored: false | ||
|
|
||
| - id: 2.6 | ||
| text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)" | ||
| audit: | | ||
| # Returns 0 if found, 1 if not found | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$? | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "exit_code" | ||
| compare: | ||
| op: eq | ||
| value: "1" | ||
| remediation: | | ||
| This setting is managed by the cluster etcd operator. No remediation required. | ||
| scored: false | ||
|
|
||
| - id: 2.7 | ||
| text: "Ensure that a unique Certificate Authority is used for etcd (Manual)" | ||
| audit: | | ||
| # Get the node name where the pod is running | ||
| NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}') | ||
| # Get the pod name in the openshift-etcd namespace | ||
| POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) | ||
| if [ -z "$POD_NAME" ]; then | ||
| echo "No matching file found on the current node." | ||
| else | ||
| # Execute the stat command | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/' | ||
| oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/' | ||
| fi | ||
| use_multiple_values: true | ||
| tests: | ||
| test_items: | ||
| - flag: "file" | ||
| compare: | ||
| op: regex | ||
| value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/etcd-(?:serving|peer-client)-ca\/ca-bundle\.(?:crt|key)' | ||
| remediation: | | ||
| None required. Certificates for etcd are managed by the OpenShift cluster etcd operator. | ||
| scored: false |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a typo in the benchmark. I was comparing both the standards when I identified this. The type is marked as
manual, so wasn't caught earlier.