Skip to content

Commit

Permalink
Add fixes in master TCs and docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@deebhatia @safiyat
deebhatia authored and safiyat committed Nov 6, 2024
1 parent 3bce117 commit 1ae58e3
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 56 deletions.
88 changes: 36 additions & 52 deletions cfg/rh-1.6/master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,31 +220,23 @@ groups:
# For CNI multus
# Get the pod name in the openshift-multus namespace
POD_NAME=$(oc get pods -n openshift-multus -l app=multus --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c \"$i %n permissions=%a\" /host/etc/cni/net.d/*.conf"; 2>/dev/null
oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c \"$i %n permissions=%a\" /host/var/run/multus/cni/net.d/*.conf"; 2>/dev/null
oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c \"$i %n permissions=%a\" /host/etc/cni/net.d/*.conf" 2>/dev/null
oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c \"$i %n permissions=%a\" /host/var/run/multus/cni/net.d/*.conf" 2>/dev/null
fi
# For SDN pods
POD_NAME=$(oc get pods -n openshift-sdn -l app=sdn --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-sdn "$POD_NAME" -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c "$i %n permissions=%a" {} \; 2>/dev/null
oc exec -n openshift-sdn "$POD_NAME" -- find /var/run/openshift-sdn -type f -exec stat -c "$i %n permissions=%a" {} \; 2>/dev/null
fi
# For OVS pods
POD_NAME=$(oc get pods -n openshift-sdn -l app=ovs --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-sdn "$POD_NAME" -- find /var/run/openvswitch -type f -exec stat -c "$i %n permissions=%a" {} \; 2>/dev/null
oc exec -n openshift-sdn "$POD_NAME" -- find /etc/openvswitch -type f -exec stat -c "$i %n permissions=%a" {} \; 2>/dev/null
Expand All @@ -266,33 +258,27 @@ groups:
audit: |
# Get the node name where the pod is running
NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
# For CNI multus
# Get the pod name in the openshift-multus namespace
POD_NAME=$(oc get pods -n openshift-multus -l app=multus --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-multus "$POD_NAME" -- /bin/bash -c "stat -c '$i %n %U:%G' /host/etc/cni/net.d/*.conf" 2>/dev/null
oc exec -n openshift-multus $i -- /bin/bash -c "stat -c '$i %n %U:%G' /host/var/run/multus/cni/net.d/*.conf" 2>/dev/null
fi
# For SDN pods
POD_NAME=$(oc get pods -n openshift-sdn -l app=sdn --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-sdn "$POD_NAME" -- find /var/lib/cni/networks/openshift-sdn -type f -exec stat -c "$i %n %U:%G" {} \; 2>/dev/null
oc exec -n openshift-sdn "$POD_NAME" -- find /var/run/openshift-sdn -type f -exec stat -c "$i %n %U:%G" {} \; 2>/dev/null
fi
# For OVS pods in 4.5
POD_NAME=$(oc get pods -n openshift-sdn -l app=ovs --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
if [ -z "$POD_NAME" ]; then
echo "No matching pods found on the current node."
else
if [ -n "$POD_NAME" ]; then
# Execute the stat command
oc exec -n openshift-sdn "$POD_NAME" -- find /var/run/openvswitch -type f -exec stat -c "$i %n %U:%G" {} \; 2>/dev/null
oc exec -n openshift-sdn "$POD_NAME" -- find /etc/openvswitch -type f -exec stat -c "$i %n %U:%G" {} \; 2>/dev/null
Expand Down Expand Up @@ -613,9 +599,9 @@ groups:
text: "Ensure that the --token-auth-file parameter is not set (Manual)"
audit: |
# Verify that the token-auth-file flag is not present
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments'
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments'
oc get kubeapiservers.operator.openshift.io cluster -o json | jq '.spec.observedConfig.apiServerArguments'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' | grep --color "token-auth-file"
oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments' | grep --color "token-auth-file"
oc get kubeapiservers.operator.openshift.io cluster -o json | jq '.spec.observedConfig.apiServerArguments' | grep --color "token-auth-file"
#Verify that the authentication operator is running
oc get clusteroperator authentication | awk '$3 != "AVAILABLE" { if ($3){print "available=true"}else{print "available=false"} }'
tests:
Expand All @@ -639,8 +625,8 @@ groups:
tests:
bin_op: and
test_items:
- flag: "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
- flag: "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
- flag: "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/kubelet-client/tls.crt"
- flag: "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/kubelet-client/tls.key"
remediation: |
No remediation is required.
OpenShift platform components use X.509 certificates for authentication.
Expand All @@ -655,8 +641,8 @@ groups:
tests:
bin_op: and
test_items:
- flag: "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"
- flag: "/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"
- flag: "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.crt"
- flag: "/etc/kubernetes/static-pod-certs/secrets/kubelet-client/tls.key"
remediation: |
No remediation is required.
OpenShift platform components use X.509 certificates for authentication.
Expand All @@ -681,27 +667,22 @@ groups:
- id: 1.2.7
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
audit: |
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments."authorization-mode"[]'
tests:
test_items:
- path: "{.authorization-mode}"
compare:
op: nothave
value: "AlwaysAllow"
- flag: "AlwaysAllow"
set: false
remediation: |
None. RBAC is always on and the OpenShift API server does not use the values assigned to the flag authorization-mode.
scored: false

- id: 1.2.8
text: "Verify that RBAC is enabled (Manual)"
audit: |
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.apiServerArguments'
oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments."authorization-mode"[]'
tests:
test_items:
- path: "{.authorization-mode}"
compare:
op: has
value: "RBAC"
- flag: "RBAC"
remediation: |
None. It is not possible to disable RBAC.
scored: false
Expand Down Expand Up @@ -824,17 +805,20 @@ groups:
- id: 1.2.18
text: "Ensure that the --secure-port argument is not set to 0 (Manual)"
audit: |
oc get kubeapiservers.operator.openshift.io cluster -o json | jq '.spec.observedConfig.servingInfo.bindAddress'
echo bindAddress=$(oc get kubeapiservers.operator.openshift.io cluster -o json | jq '.spec.observedConfig.servingInfo.bindAddress')
# Should return only 6443
echo ports=`oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o jsonpath='{.items[*].spec.containers[?(@.name=="kube-apiserver")].ports[*].containerPort}'`
echo ports=$(oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -o jsonpath='{.items[*].spec.containers[?(@.name=="kube-apiserver")].ports[*].containerPort}')
tests:
bin_op: and
test_items:
- flag: '"bindAddress": "0.0.0.0:6443"'
- flag: 'bindAddress'
compare:
op: eq
value: '"0.0.0.0:6443"'
- flag: "ports"
compare:
op: regex
value: '\s*(?:6443\s*){1,}$'
op: eq
value: '6443'
remediation: |
None required. By default, the openshift-kube-apiserver is served over HTTPS with authentication and authorization;
the secure API endpoint is bound to 0.0.0.0:6443.
Expand Down Expand Up @@ -884,15 +868,15 @@ groups:
oc rsh -n openshift-apiserver $POD ls /var/log/openshift-apiserver/audit.log 2>/dev/null
# Should return 0
echo apiserver_exit_code=$?
use_multiple_values: true
tests:
bin_op: or
bin_op: and
test_items:
- flag: "/var/log/kube-apiserver/audit.log"
- flag: "/var/log/openshift-apiserver/audit.log"
- flag: "/var/log/kube-apiserver/audit.log" # This is needed for second printing in ls command.
- flag: "kube_apiserver_exit_code=0"
- flag: "/var/log/openshift-apiserver/audit.log"
- flag: "/var/log/openshift-apiserver/audit.log" # This is needed for second printing in ls command.
- flag: "apiserver_exit_code=0"
- flag: "null"
remediation: |
None required. This is managed by the cluster apiserver operator. By default, auditing is enabled.
scored: false
Expand Down
4 changes: 2 additions & 2 deletions docs/platforms.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@ Some defined by other hardenening guides.
| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK |
| CIS | [AKS 1.0.0](https://workbench.cisecurity.org/benchmarks/6347) | aks-1.0 | AKS |
| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1-15 |
| CIS | [OCP4 1.6.0](https://workbench.cisecurity.org/benchmarks/16094) | rh-1.6 | OCP 4.16- |
| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1-4.14 |
| CIS | [OCP4 1.6.0](https://workbench.cisecurity.org/benchmarks/16094) | rh-1.6 | OCP 4.15- |
| CIS | [1.6.0-k3s](https://docs.rancher.cn/docs/k3s/security/self-assessment/_index) | cis-1.6-k3s | k3s v1.16-v1.24 |
| DISA | [Kubernetes Ver 1, Rel 6](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V1R6_STIG.zip) | eks-stig-kubernetes-v1r6 | EKS |
| CIS | [TKGI 1.2.53](https://network.pivotal.io/products/p-compliance-scanner#/releases/1248397) | tkgi-1.2.53 | vmware |
Expand Down
4 changes: 2 additions & 2 deletions docs/running.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,8 @@ docker push <AWS_ACCT_NUMBER>.dkr.ecr.<AWS_REGION>.amazonaws.com/k8s/kube-bench:
| OpenShift Hardening Guide | kube-bench config |
|---------------------------|-------------------|
| ocp-3.10 + | rh-0.7 |
| ocp-4.1-4.15 | rh-1.0 |
| ocp-4.16 + | rh-1.6 |
| ocp-4.1-4.14 | rh-1.0 |
| ocp-4.15 + | rh-1.6 |

kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0`

Expand Down

0 comments on commit 1ae58e3

Please sign in to comment.