Skip to content

Commit

Permalink
Merge pull request #337 from vardhaman22/0.5/add-rke2-cis-1.9
Browse files Browse the repository at this point in the history 
[release/v0.5] added rke2-cis-1.9
  • Loading branch information
@vardhaman22
vardhaman22 authored Jan 10, 2025
2 parents 318f940 + fe265b4 commit 4878cef
Show file tree
Hide file tree
Showing 9 changed files with 2,220 additions and 51 deletions.
6 changes: 6 additions & 0 deletions package/cfg/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,12 @@ target_mapping:
- "controlplane"
- "etcd"
- "policies"
"rke2-cis-1.9":
- "master"
- "node"
- "controlplane"
- "etcd"
- "policies"

# K3S
# k3s: Generic
Expand Down
54 changes: 17 additions & 37 deletions package/cfg/k3s-cis-1.9/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -494,26 +494,6 @@ groups:
scored: false

- id: 1.2.12
text: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)"
type: "skip"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--enable-admission-plugins"
compare:
op: has
value: "SecurityContextDeny"
- flag: "--enable-admission-plugins"
compare:
op: has
value: "PodSecurityPolicy"
remediation: |
Not Applicable.
Enabling Pod Security Policy is no longer supported on K3s v1.25+ and will cause applications to unexpectedly fail.
scored: false

- id: 1.2.13
text: "Ensure that the admission control plugin ServiceAccount is set (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -533,7 +513,7 @@ groups:
- "disable-admission-plugins=ServiceAccount"
scored: true

- id: 1.2.14
- id: 1.2.13
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -552,7 +532,7 @@ groups:
- "disable-admission-plugins=...,NamespaceLifecycle,..."
scored: true

- id: 1.2.15
- id: 1.2.14
text: "Ensure that the admission control plugin NodeRestriction is set (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'enable-admission-plugins'"
tests:
Expand All @@ -569,7 +549,7 @@ groups:
- "enable-admission-plugins=...,NodeRestriction,..."
scored: true

- id: 1.2.16
- id: 1.2.15
text: "Ensure that the --profiling argument is set to false (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'profiling'"
tests:
Expand All @@ -585,7 +565,7 @@ groups:
- "profiling=true"
scored: true

- id: 1.2.17
- id: 1.2.16
text: "Ensure that the --audit-log-path argument is set (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -598,7 +578,7 @@ groups:
- "audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"
scored: false

- id: 1.2.18
- id: 1.2.17
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -614,7 +594,7 @@ groups:
- "audit-log-maxage=30"
scored: false

- id: 1.2.19
- id: 1.2.18
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -630,7 +610,7 @@ groups:
- "audit-log-maxbackup=10"
scored: false

- id: 1.2.20
- id: 1.2.19
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -646,7 +626,7 @@ groups:
- "audit-log-maxsize=100"
scored: false

- id: 1.2.21
- id: 1.2.20
text: "Ensure that the --request-timeout argument is set as appropriate (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -661,7 +641,7 @@ groups:
- "request-timeout=300s"
scored: false

- id: 1.2.22
- id: 1.2.21
text: "Ensure that the --service-account-lookup argument is set to true (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -682,7 +662,7 @@ groups:
that the default takes effect.
scored: true

- id: 1.2.23
- id: 1.2.22
text: "Ensure that the --service-account-key-file argument is set as appropriate (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1"
tests:
Expand All @@ -696,7 +676,7 @@ groups:
- "service-account-key-file=<path>"
scored: true

- id: 1.2.24
- id: 1.2.23
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)"
audit: |
if [ "$(journalctl -m -u k3s | grep -m1 'Managed etcd cluster' | wc -l)" -gt 0 ]; then
Expand All @@ -720,7 +700,7 @@ groups:
- "etcd-keyfile=<path>"
scored: true

- id: 1.2.25
- id: 1.2.24
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "journalctl -m -u k3s | grep -A1 'Running kube-apiserver' | tail -n2"
tests:
Expand All @@ -739,7 +719,7 @@ groups:
- "tls-private-key-file=<path>"
scored: true

- id: 1.2.26
- id: 1.2.25
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'client-ca-file'"
tests:
Expand All @@ -754,7 +734,7 @@ groups:
- "client-ca-file=<path>"
scored: true

- id: 1.2.27
- id: 1.2.26
text: "Ensure that the --etcd-cafile argument is set as appropriate (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'etcd-cafile'"
tests:
Expand All @@ -769,7 +749,7 @@ groups:
- "etcd-cafile=<path>"
scored: true

- id: 1.2.28
- id: 1.2.27
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Manual)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'encryption-provider-config'"
tests:
Expand All @@ -783,7 +763,7 @@ groups:
If needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json.
scored: false

- id: 1.2.29
- id: 1.2.28
text: "Ensure that encryption providers are appropriately configured (Manual)"
audit: |
ENCRYPTION_PROVIDER_CONFIG=$(journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep -- --encryption-provider-config | sed 's%.*encryption-provider-config[= ]\([^ ]*\).*%\1%')
Expand All @@ -802,7 +782,7 @@ groups:
If needed, you can find the generated encryption config at /var/lib/rancher/k3s/server/cred/encryption-config.json
scored: false

- id: 1.2.30
- id: 1.2.29
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated)"
audit: "journalctl -m -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'tls-cipher-suites'"
tests:
Expand Down
28 changes: 14 additions & 14 deletions package/cfg/k3s-cis-1.9/policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,60 +248,60 @@ groups:
scored: false

- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostPID` containers.
scored: true
scored: false

- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostIPC` containers.
scored: true
scored: false

- id: 5.2.5
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostNetwork` containers.
scored: true
scored: false

- id: 5.2.6
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
scored: true
scored: false

- id: 5.2.7
text: "Minimize the admission of root containers (Automated)"
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot`
or `MustRunAs` with the range of UIDs not including 0, is set.
scored: true
scored: false

- id: 5.2.8
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
type: "manual"
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with the `NET_RAW` capability.
scored: true
scored: false

- id: 5.2.9
text: "Minimize the admission of containers with added capabilities (Automated)"
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Ensure that `allowedCapabilities` is not present in policies for the cluster unless
it is set to an empty array.
scored: true
scored: false

- id: 5.2.10
text: "Minimize the admission of containers with capabilities assigned (Manual)"
Expand Down
61 changes: 61 additions & 0 deletions package/cfg/rke2-cis-1.9/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
## Version-specific settings that override the values in cfg/config.yaml

master:
components:
- apiserver
- scheduler
- controllermanager
- etcd
- policies
apiserver:
bins:
- kube-apiserver
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml
scheduler:
bins:
- kube-scheduler
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
kubeconfig:
- /var/lib/rancher/rke2/server/cred/scheduler.kubeconfig
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml
controllermanager:
bins:
- kube-controller-manager
confs:
- /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
kubeconfig:
- /var/lib/rancher/rke2/server/cred/controller.kubeconfig
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml
etcd:
bins:
- etcd
datadirs:
- /var/lib/rancher/rke2/server/db/etcd
defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml

etcd:
components:
- etcd

etcd:
bins:
- etcd
defaultconf: /var/lib/rancher/rke2/server/db/etcd/config

node:
components:
- kubelet
- proxy
kubelet:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig
defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt
proxy:
defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig

policies:
components:
- policies
62 changes: 62 additions & 0 deletions package/cfg/rke2-cis-1.9/controlplane.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
controls:
version: "cis-1.9"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false

- id: 3.1.2
text: "Service account token authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of service account tokens.
scored: false

- id: 3.1.3
text: "Bootstrap token authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of bootstrap tokens.
scored: false

- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Automated)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: true

- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false
Loading

0 comments on commit 4878cef

Please sign in to comment.