Skip to content

Commit d37c4c4

Browse files
yuumasatoyuumasato
authored
Merge pull request #14431 from rhmdnd/CMP-4110
CMP-4110: Implement CIS OpenShift version 1.9.0
2 parents 66e0c73 + 9be6c7c commit d37c4c4

12 files changed

Lines changed: 1099 additions & 6 deletions

File tree

controls/cis_ocp_190.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
policy: CIS Red Hat OpenShift Container Platform 4 Benchmark
3+
title: CIS Red Hat OpenShift Container Platform 4 Benchmark
4+
id: cis_ocp_190
5+
source: https://www.cisecurity.org/benchmark/kubernetes
6+
7+
levels:
8+
- id: level_1
9+
- id: level_2
10+
inherits_from:
11+
- level_1

controls/cis_ocp_190/section-1.yml

Lines changed: 506 additions & 0 deletions
Large diffs are not rendered by default.

controls/cis_ocp_190/section-2.yml

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
---
2+
controls:
3+
- id: '2'
4+
title: etcd
5+
status: pending
6+
rules: []
7+
controls:
8+
- id: '2.1'
9+
title: Ensure that the --cert-file and --key-file arguments are set as appropriate
10+
status: automated
11+
rules:
12+
- etcd_cert_file
13+
- etcd_key_file
14+
levels:
15+
- level_1
16+
- id: '2.2'
17+
title: Ensure that the --client-cert-auth argument is set to true
18+
status: automated
19+
rules:
20+
- etcd_client_cert_auth
21+
levels:
22+
- level_1
23+
- id: '2.3'
24+
title: Ensure that the --auto-tls argument is not set to true
25+
status: automated
26+
rules:
27+
- etcd_auto_tls
28+
levels:
29+
- level_1
30+
- id: '2.4'
31+
title: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate
32+
status: automated
33+
rules:
34+
- etcd_peer_cert_file
35+
- etcd_peer_key_file
36+
levels:
37+
- level_1
38+
- id: '2.5'
39+
title: Ensure that the --peer-client-cert-auth argument is set to true
40+
status: automated
41+
rules:
42+
- etcd_peer_client_cert_auth
43+
levels:
44+
- level_1
45+
- id: '2.6'
46+
title: Ensure that the --peer-auto-tls argument is not set to true
47+
status: automated
48+
rules:
49+
- etcd_peer_auto_tls
50+
levels:
51+
- level_1
52+
- id: '2.7'
53+
title: Ensure that a unique Certificate Authority is used for etcd
54+
status: automated
55+
rules:
56+
- etcd_unique_ca
57+
levels:
58+
- level_2

controls/cis_ocp_190/section-3.yml

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
---
2+
controls:
3+
- id: '3'
4+
title: Control Plane Configuration
5+
status: pending
6+
rules: []
7+
controls:
8+
- id: '3.1'
9+
title: Authentication and Authorization
10+
status: automated
11+
rules: []
12+
controls:
13+
- id: 3.1.1
14+
title: Client certificate authentication should not be used for users
15+
status: automated
16+
rules:
17+
- idp_is_configured
18+
- kubeadmin_removed
19+
levels:
20+
- level_2
21+
- id: '3.2'
22+
title: Logging
23+
status: automated
24+
rules: []
25+
controls:
26+
- id: 3.2.1
27+
title: Ensure that a minimal audit policy is created
28+
status: automated
29+
rules:
30+
- audit_logging_enabled
31+
levels:
32+
- level_1
33+
- id: 3.2.2
34+
title: Ensure that the audit policy covers key security concerns
35+
status: automated
36+
rules:
37+
- audit_profile_set
38+
levels:
39+
- level_2

controls/cis_ocp_190/section-4.yml

Lines changed: 191 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,191 @@
1+
---
2+
controls:
3+
- id: '4'
4+
title: Worker Nodes
5+
status: pending
6+
rules: []
7+
controls:
8+
- id: '4.1'
9+
title: Worker Node Configuration Files
10+
status: pending
11+
rules: []
12+
controls:
13+
- id: 4.1.1
14+
title: Ensure that the kubelet service file permissions are set to 644 or more restrictive
15+
status: automated
16+
rules:
17+
- file_permissions_worker_service
18+
levels:
19+
- level_1
20+
- id: 4.1.2
21+
title: Ensure that the kubelet service file ownership is set to root:root
22+
status: automated
23+
rules:
24+
- file_owner_worker_service
25+
- file_groupowner_worker_service
26+
levels:
27+
- level_1
28+
- id: 4.1.3
29+
title: If proxy kube proxy configuration file exists ensure permissions are set to
30+
644 or more restrictive
31+
status: automated
32+
rules:
33+
- file_permissions_proxy_kubeconfig
34+
levels:
35+
- level_1
36+
- id: 4.1.4
37+
title: If proxy kubeconfig file exists ensure ownership is set to root:root
38+
status: automated
39+
rules:
40+
- file_owner_proxy_kubeconfig
41+
- file_groupowner_proxy_kubeconfig
42+
levels:
43+
- level_1
44+
- id: 4.1.5
45+
title: Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or
46+
more restrictive
47+
status: automated
48+
rules:
49+
- file_permissions_kubelet_conf
50+
levels:
51+
- level_1
52+
- id: 4.1.6
53+
title: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root
54+
status: automated
55+
rules:
56+
- file_groupowner_kubelet_conf
57+
- file_owner_kubelet_conf
58+
#- file_groupowner_kubelet
59+
- file_owner_kubelet
60+
levels:
61+
- level_1
62+
- id: 4.1.7
63+
title: Ensure that the certificate authorities file permissions are set to 644 or more
64+
restrictive
65+
status: automated
66+
rules:
67+
- file_permissions_worker_ca
68+
levels:
69+
- level_1
70+
- id: 4.1.8
71+
title: Ensure that the client certificate authorities file ownership is set to root:root
72+
status: automated
73+
rules:
74+
- file_owner_worker_ca
75+
- file_groupowner_worker_ca
76+
levels:
77+
- level_1
78+
- id: 4.1.9
79+
title: Ensure that the kubelet --config configuration file has permissions set to 600
80+
or more restrictive
81+
status: automated
82+
rules:
83+
- file_permissions_worker_kubeconfig
84+
levels:
85+
- level_1
86+
- id: 4.1.10
87+
title: Ensure that the kubelet configuration file ownership is set to root:root
88+
status: automated
89+
rules:
90+
- file_owner_worker_kubeconfig
91+
- file_groupowner_worker_kubeconfig
92+
levels:
93+
- level_1
94+
- id: '4.2'
95+
title: Kubelet
96+
status: pending
97+
rules: []
98+
controls:
99+
- id: 4.2.1
100+
title: Activate Garbage collection in OpenShift Container Platform 4, as appropriate
101+
status: automated
102+
rules:
103+
- kubelet_eviction_thresholds_set_hard_memory_available
104+
- kubelet_eviction_thresholds_set_hard_nodefs_available
105+
- kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
106+
- kubelet_eviction_thresholds_set_hard_imagefs_available
107+
levels:
108+
- level_1
109+
- id: 4.2.2
110+
title: Ensure that the --anonymous-auth argument is set to false
111+
status: automated
112+
rules:
113+
- kubelet_anonymous_auth
114+
levels:
115+
- level_1
116+
- id: 4.2.3
117+
title: Ensure that the --authorization-mode argument is not set to AlwaysAllow
118+
status: automated
119+
rules:
120+
- kubelet_authorization_mode
121+
levels:
122+
- level_1
123+
- id: 4.2.4
124+
title: Ensure that the --client-ca-file argument is set as appropriate
125+
status: automated
126+
rules:
127+
- kubelet_configure_client_ca
128+
levels:
129+
- level_1
130+
- id: 4.2.5
131+
title: Verify that the read only port is not used or is set to 0
132+
status: automated
133+
rules:
134+
- kubelet_disable_readonly_port
135+
levels:
136+
- level_1
137+
- id: 4.2.6
138+
title: Ensure that the --streaming-connection-idle-timeout argument is not set to 0
139+
status: automated
140+
rules:
141+
- kubelet_enable_streaming_connections
142+
levels:
143+
- level_1
144+
- id: 4.2.7
145+
title: Ensure that the --make-iptables-util-chains argument is set to true
146+
status: automated
147+
rules:
148+
- kubelet_enable_iptables_util_chains
149+
levels:
150+
- level_1
151+
- id: 4.2.8
152+
title: Ensure that the kubeAPIQPS [--event-qps] argument is set to a level which
153+
ensures appropriate event capture
154+
status: automated
155+
rules:
156+
- kubelet_configure_event_creation
157+
- var_event_record_qps=50
158+
levels:
159+
- level_2
160+
- id: 4.2.9
161+
title: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
162+
as appropriate
163+
status: automated
164+
rules:
165+
- kubelet_configure_tls_cert
166+
- kubelet_configure_tls_key
167+
levels:
168+
- level_1
169+
- id: 4.2.10
170+
title: Ensure that the --rotate-certificates argument is not set to false
171+
status: automated
172+
rules:
173+
- kubelet_enable_client_cert_rotation
174+
- kubelet_enable_cert_rotation
175+
levels:
176+
- level_1
177+
- id: 4.2.11
178+
title: Verify that the RotateKubeletServerCertificate argument is set to true
179+
status: automated
180+
rules:
181+
- kubelet_enable_server_cert_rotation
182+
levels:
183+
- level_1
184+
- id: 4.2.12
185+
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
186+
status: automated
187+
rules:
188+
- kubelet_configure_tls_cipher_suites
189+
- ingress_controller_tls_cipher_suites
190+
levels:
191+
- level_1

0 commit comments

Comments
 (0)