Skip to content

Commit

Permalink
update generated markdown files
Browse files Browse the repository at this point in the history
update them after the expected-outputs.yaml file was changed
  • Loading branch information
eaudetcobello committed Jun 27, 2024
1 parent 6479818 commit b949a0a
Show file tree
Hide file tree
Showing 5 changed files with 3,209 additions and 0 deletions.
77 changes: 77 additions & 0 deletions docs/src/snap/howto/cis-hardening/controlplane.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
## Control Plane Configuration

### Authentication and Authorization

#### Control 3.1.1

Description: `Client certificate authentication should not be used for users
(Manual)`

Remediation:

```
Alternative mechanisms provided by Kubernetes such as the use of
OIDC should be
implemented in place of client certificates.
```

Expected output:

```
Not applicable.
```

### Logging

#### Control 3.2.1

Description: `Ensure that a minimal audit policy is created (Manual)`

Audit:

```
/bin/ps -ef | grep kube-apiserver | grep -v grep
```

Remediation:

```
Create an audit policy file for your cluster.
```

Expected output:

```
--audit-policy-file=/var/snap/k8s/common/etc/audit-policy.yaml
```

#### Control 3.2.2

Description: `Ensure that the audit policy covers key security concerns
(Manual)`

Remediation:

```
Review the audit policy provided for the cluster and ensure that
it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken
to only
log Metadata for requests to Secrets, ConfigMaps, and
TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and
`services/proxy`.
For most requests, minimally logging at the Metadata level is
recommended
(the most basic level of logging).
```

Expected output:

```
Not applicable.
```

193 changes: 193 additions & 0 deletions docs/src/snap/howto/cis-hardening/etcd.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
## Etcd Node Configuration

### Etcd Node Configuration

#### Control 2.1

Description: `Ensure that the --cert-file and --key-file arguments are set as
appropriate (Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Follow the etcd service documentation and configure TLS
encryption.
Then, edit the etcd pod specification file
/etc/kubernetes/manifests/etcd.yaml
on the master node and set the below parameters.
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
```

Expected output:

```
ETCD_CERT_FILE and ETCD_KEY_FILE are set
```

#### Control 2.2

Description: `Ensure that the --client-cert-auth argument is set to true
(Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Edit the etcd pod specification file /etc/default/etcd on the master
node and set the below parameter.
--client-cert-auth="true"
```

Expected output:

```
ETCD_CLIENT_CERT_AUTH is set to true
```

#### Control 2.3

Description: `Ensure that the --auto-tls argument is not set to true
(Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Edit the etcd pod specification file /etc/default/etcd on the master
node and either remove the --auto-tls parameter or set it to
false.
--auto-tls=false
```

Expected output:

```
ETCD_AUTO_TLS is not set
```

#### Control 2.4

Description: `Ensure that the --peer-cert-file and --peer-key-file arguments
are set as appropriate (Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Follow the etcd service documentation and configure peer TLS
encryption as appropriate
for your etcd cluster.
Then, edit the etcd pod specification file /etc/default/etcd on the
master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
```

Expected output:

```
ETCD_PEER_CERT_FILE and ETCD_PEER_KEY_FILE are set
```

#### Control 2.5

Description: `Ensure that the --peer-client-cert-auth argument is set to true
(Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Edit the etcd pod specification file /etc/default/etcd on the master
node and set the below parameter.
--peer-client-cert-auth=true
```

Expected output:

```
ETCD_PEER_CLIENT_CERT_AUTH is set to true
```

#### Control 2.6

Description: `Ensure that the --peer-auto-tls argument is not set to true
(Automated)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
Edit the etcd pod specification file /etc/default/etcd on the master
node and either remove the --peer-auto-tls parameter or set it
to false.
--peer-auto-tls=false
```

Expected output:

```
ETCD_PEER_AUTO_TLS is not set
```

#### Control 2.7

Description: `Ensure that a unique Certificate Authority is used for etcd
(Manual)`

Audit:

```
/bin/ps -ef | /bin/grep etcd | /bin/grep -v grep
```

Remediation:

```
[Manual test]
Follow the etcd documentation and create a dedicated certificate
authority setup for the
etcd service.
Then, edit the etcd pod specification file /etc/default/etcd on the
master node and set the below parameter.
--trusted-ca-file=</path/to/ca-file>
```

Expected output:

```
ETCD_TRUSTED_CA_FILE is set
```

Loading

0 comments on commit b949a0a

Please sign in to comment.