Skip to content

Commit

Permalink
Add YAML to Markdown conversion script and generated Markdown files (#…
Browse files Browse the repository at this point in the history 
…497)
  • Loading branch information
@eaudetcobello
eaudetcobello committed Jun 27, 2024
1 parent ea34250 commit 00612a7
Show file tree
Hide file tree
Showing 10 changed files with 3,110 additions and 0 deletions.
59 changes: 59 additions & 0 deletions docs/src/_parts/cis/controlplane.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
## Control Plane Configuration

### Authentication and Authorization

#### Control 3.1.1

Description: Client certificate authentication should not be used for users
(Manual)

Remediation:

Alternative mechanisms provided by Kubernetes such as the use of
OIDC should be
implemented in place of client certificates.

### Logging

#### Control 3.2.1

Description: Ensure that a minimal audit policy is created (Manual)

Audit:

```
/bin/ps -ef | grep kube-apiserver | grep -v grep
```

Expected output:

```
--audit-policy-file=/var/snap/k8s/common/etc/audit-policy.yaml
```

Remediation:

Create an audit policy file for your cluster.

#### Control 3.2.2

Description: Ensure that the audit policy covers key security concerns
(Manual)

Remediation:

Review the audit policy provided for the cluster and ensure that
it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken
to only
log Metadata for requests to Secrets, ConfigMaps, and
TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and
`services/proxy`.
For most requests, minimally logging at the Metadata level is
recommended
(the most basic level of logging).

188 changes: 188 additions & 0 deletions docs/src/_parts/cis/etcd.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
## Etcd Node Configuration

### Etcd Node Configuration

#### Control 2.1

Description: Ensure that the ETCD_CERT_FILE and ETCD_KEY_FILE environment
variables are set as appropriate (Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_CERT_FILE and ETCD_KEY_FILE are set
```

Remediation:

Follow the etcd service documentation and configure TLS
encryption.
Then, edit the etcd daemon configuration file /etc/default/etcd
on the master node and set the following variables.

```
ETCD_CERT_FILE=</path/to/ca-file>
ETCD_KEY_FILE=</path/to/key-file>
```

#### Control 2.2

Description: Ensure that the ETCD_CLIENT_CERT_AUTH variable is set to true
(Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_CLIENT_CERT_AUTH is set to true
```

Remediation:

Edit the etcd daemon configuration file /etc/default/etcd on the master
node and set the following variable.

`ETCD_CLIENT_CERT_AUTH=true`

#### Control 2.3

Description: Ensure that the ETCD_AUTO_TLS argument is not set to true
(Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_AUTO_TLS is not set
```

Remediation:

Edit the etcd daemon configuration file /etc/default/etcd on the master
node and either remove the ETCD_AUTO_TLS variable or set it to
false.

`ETCD_AUTO_TLS=false`

#### Control 2.4

Description: Ensure that the ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE
variables are set as appropriate (Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE are set
```

Remediation:

Follow the etcd service documentation and configure peer TLS
encryption as appropriate
for your etcd cluster.
Then, edit the etcd daemon configuration file /etc/default/etcd on the
master node and set the following variables.

```
ETCD_PEER_CERT_FILE=</path/to/peer-cert-file>
ETCD_PEER_KEY_FILE=</path/to/peer-key-file>
```

#### Control 2.5

Description: Ensure that the ETCD_PEER_CLIENT_CERT_AUTH variable is set to
true (Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_PEER_CLIENT_CERT_AUTH is set to true
```

Remediation:

Edit the etcd daemon configuration file /etc/default/etcd on the master
node and set the following argument.

`ETCD_PEER_CLIENT_CERT_AUTH=true`

#### Control 2.6

Description: Ensure that the ETCD_PEER_AUTO_TLS argument is not set to true
(Automated)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_PEER_AUTO_TLS is not set
```

Remediation:

Edit the etcd daemon configuration file /etc/default/etcd on the master
node and either remove the ETCD_PEER_AUTO_TLS parameter or set
it to false.

`ETCD_PEER_AUTO_TLS=false`

#### Control 2.7

Description: Ensure that a unique Certificate Authority is used for etcd
(Manual)

Audit:

```
cat /proc/$(pidof /usr/bin/etcd)/environ
```

Expected output:

```
ETCD_TRUSTED_CA_FILE is set
```

Remediation:

Follow the etcd documentation and create a dedicated certificate
authority setup for the
etcd service.
Then, edit the etcd daemon configuration file /etc/default/etcd on the
master node and set the following argument.

`ETCD_TRUSTED_CA_FILE=</path/to/ca-file>`

Loading

0 comments on commit 00612a7

Please sign in to comment.