-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update them after the expected-outputs.yaml file was changed
- Loading branch information
1 parent
6479818
commit b949a0a
Showing
5 changed files
with
3,209 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
## Control Plane Configuration | ||
|
||
### Authentication and Authorization | ||
|
||
#### Control 3.1.1 | ||
|
||
Description: `Client certificate authentication should not be used for users | ||
(Manual)` | ||
|
||
Remediation: | ||
|
||
``` | ||
Alternative mechanisms provided by Kubernetes such as the use of | ||
OIDC should be | ||
implemented in place of client certificates. | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
Not applicable. | ||
``` | ||
|
||
### Logging | ||
|
||
#### Control 3.2.1 | ||
|
||
Description: `Ensure that a minimal audit policy is created (Manual)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | grep kube-apiserver | grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Create an audit policy file for your cluster. | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
--audit-policy-file=/var/snap/k8s/common/etc/audit-policy.yaml | ||
``` | ||
|
||
#### Control 3.2.2 | ||
|
||
Description: `Ensure that the audit policy covers key security concerns | ||
(Manual)` | ||
|
||
Remediation: | ||
|
||
``` | ||
Review the audit policy provided for the cluster and ensure that | ||
it covers | ||
at least the following areas, | ||
- Access to Secrets managed by the cluster. Care should be taken | ||
to only | ||
log Metadata for requests to Secrets, ConfigMaps, and | ||
TokenReviews, in | ||
order to avoid risk of logging sensitive data. | ||
- Modification of Pod and Deployment objects. | ||
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and | ||
`services/proxy`. | ||
For most requests, minimally logging at the Metadata level is | ||
recommended | ||
(the most basic level of logging). | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
Not applicable. | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
## Etcd Node Configuration | ||
|
||
### Etcd Node Configuration | ||
|
||
#### Control 2.1 | ||
|
||
Description: `Ensure that the --cert-file and --key-file arguments are set as | ||
appropriate (Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Follow the etcd service documentation and configure TLS | ||
encryption. | ||
Then, edit the etcd pod specification file | ||
/etc/kubernetes/manifests/etcd.yaml | ||
on the master node and set the below parameters. | ||
--cert-file=</path/to/ca-file> | ||
--key-file=</path/to/key-file> | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_CERT_FILE and ETCD_KEY_FILE are set | ||
``` | ||
|
||
#### Control 2.2 | ||
|
||
Description: `Ensure that the --client-cert-auth argument is set to true | ||
(Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Edit the etcd pod specification file /etc/default/etcd on the master | ||
node and set the below parameter. | ||
--client-cert-auth="true" | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_CLIENT_CERT_AUTH is set to true | ||
``` | ||
|
||
#### Control 2.3 | ||
|
||
Description: `Ensure that the --auto-tls argument is not set to true | ||
(Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Edit the etcd pod specification file /etc/default/etcd on the master | ||
node and either remove the --auto-tls parameter or set it to | ||
false. | ||
--auto-tls=false | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_AUTO_TLS is not set | ||
``` | ||
|
||
#### Control 2.4 | ||
|
||
Description: `Ensure that the --peer-cert-file and --peer-key-file arguments | ||
are set as appropriate (Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Follow the etcd service documentation and configure peer TLS | ||
encryption as appropriate | ||
for your etcd cluster. | ||
Then, edit the etcd pod specification file /etc/default/etcd on the | ||
master node and set the below parameters. | ||
--peer-client-file=</path/to/peer-cert-file> | ||
--peer-key-file=</path/to/peer-key-file> | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE are set | ||
``` | ||
|
||
#### Control 2.5 | ||
|
||
Description: `Ensure that the --peer-client-cert-auth argument is set to true | ||
(Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Edit the etcd pod specification file /etc/default/etcd on the master | ||
node and set the below parameter. | ||
--peer-client-cert-auth=true | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_PEER_CLIENT_CERT_AUTH is set to true | ||
``` | ||
|
||
#### Control 2.6 | ||
|
||
Description: `Ensure that the --peer-auto-tls argument is not set to true | ||
(Automated)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
Edit the etcd pod specification file /etc/default/etcd on the master | ||
node and either remove the --peer-auto-tls parameter or set it | ||
to false. | ||
--peer-auto-tls=false | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_PEER_AUTO_TLS is not set | ||
``` | ||
|
||
#### Control 2.7 | ||
|
||
Description: `Ensure that a unique Certificate Authority is used for etcd | ||
(Manual)` | ||
|
||
Audit: | ||
|
||
``` | ||
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep | ||
``` | ||
|
||
Remediation: | ||
|
||
``` | ||
[Manual test] | ||
Follow the etcd documentation and create a dedicated certificate | ||
authority setup for the | ||
etcd service. | ||
Then, edit the etcd pod specification file /etc/default/etcd on the | ||
master node and set the below parameter. | ||
--trusted-ca-file=</path/to/ca-file> | ||
``` | ||
|
||
Expected output: | ||
|
||
``` | ||
ETCD_TRUSTED_CA_FILE is set | ||
``` | ||
|
Oops, something went wrong.