Merge pull request #563 from tzneal/update-k8s-cis-guidance

feat: k8s: update to the latest CIS K8s guidance v1.11.1

Author: bcressey

packages/os/kubernetes-cis-checks-metadata-json

@@ -1,5 +1,5 @@
 {
     "name": "CIS Kubernetes Benchmark (Worker Node)",
-    "version": "v1.8.0",
+    "version": "v1.11.1",
     "url": "https://www.cisecurity.org/benchmark/kubernetes"
 }

packages/os/os.spec

@@ -667,7 +667,8 @@ for p in \
   k8s04010100 k8s04010200 k8s04010500 k8s04010600 k8s04010700 \
   k8s04010800 k8s04010900 k8s04011000 k8s04020100 k8s04020200 \
   k8s04020300 k8s04020400 k8s04020500 k8s04020600 k8s04020900 \
-  k8s04021000 k8s04021100 k8s04021200 k8s04021300 \
+  k8s04021000 k8s04021100 k8s04021200 k8s04021300 k8s04021400 \
+  k8s04021500 k8s04030100 \
 ; do
   ln -rs %{buildroot}%{_cross_bindir}/kubernetes-cis-checks \
     %{buildroot}%{_cross_libexecdir}/cis-checks/kubernetes/${p}

sources/bloodhound/src/bin/kubernetes-cis-checks/checks.rs

@@ -12,20 +12,21 @@ const KUBELET_SERVICE_FILE: &str = "/etc/systemd/system/kubelet.service.d/exec-s
 const KUBELET_KUBECONFIG_FILE: &str = "/etc/kubernetes/kubelet/kubeconfig";
 const KUBELET_CLIENT_CA_FILE: &str = "/etc/kubernetes/pki/ca.crt";
 const KUBELET_CONF_FILE: &str = "/etc/kubernetes/kubelet/config";
+pub const KUBEPROXY_CONF_FILE: &str = "/etc/kubernetes/kube-proxy/kube-proxy.conf";
 
 // =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=
 
 pub struct K8S04010100Checker {}
 
 impl Checker for K8S04010100Checker {
     fn execute(&self) -> CheckerResult {
-        let no_x_xw_xw = S_IXUSR | S_IXGRP | S_IWGRP | S_IXOTH | S_IWOTH;
-        check_file_not_mode(KUBELET_SERVICE_FILE, no_x_xw_xw)
+        let no_x_xwr_xwr = S_IXUSR | S_IRWXG | S_IRWXO;
+        check_file_not_mode(KUBELET_SERVICE_FILE, no_x_xwr_xwr)
     }
 
     fn metadata(&self) -> CheckerMetadata {
         CheckerMetadata {
-            title: "Ensure that the kubelet service file permissions are set to 644 or more restrictive".to_string(),
+            title: "Ensure that the kubelet service file permissions are set to 600 or more restrictive".to_string(),
             id: "4.1.1".to_string(),
             level: 1,
             name: "k8s04010100".to_string(),
@@ -60,13 +61,13 @@ pub struct K8S04010500Checker {}
 
 impl Checker for K8S04010500Checker {
     fn execute(&self) -> CheckerResult {
-        let no_x_xw_xw = S_IXUSR | S_IXGRP | S_IWGRP | S_IXOTH | S_IWOTH;
-        check_file_not_mode(KUBELET_KUBECONFIG_FILE, no_x_xw_xw)
+        let no_x_xwr_xwr = S_IXUSR | S_IRWXG | S_IRWXO;
+        check_file_not_mode(KUBELET_KUBECONFIG_FILE, no_x_xwr_xwr)
     }
 
     fn metadata(&self) -> CheckerMetadata {
         CheckerMetadata {
-            title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive".to_string(),
+            title: "Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive".to_string(),
             id: "4.1.5".to_string(),
             level: 1,
             name: "k8s04010500".to_string(),
@@ -102,13 +103,13 @@ pub struct K8S04010700Checker {}
 
 impl Checker for K8S04010700Checker {
     fn execute(&self) -> CheckerResult {
-        let no_x_xwr_xwr = S_IXUSR | S_IRWXG | S_IRWXO;
-        check_file_not_mode(KUBELET_CLIENT_CA_FILE, no_x_xwr_xwr)
+        let no_x_xw_xw = S_IXUSR | S_IXGRP | S_IWGRP | S_IXOTH | S_IWOTH;
+        check_file_not_mode(KUBELET_CLIENT_CA_FILE, no_x_xw_xw)
     }
 
     fn metadata(&self) -> CheckerMetadata {
         CheckerMetadata {
-            title: "Ensure that the certificate authorities file permissions are set to 600 or more restrictive".to_string(),
+            title: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive".to_string(),
             id: "4.1.7".to_string(),
             level: 1,
             name: "k8s04010700".to_string(),
@@ -370,7 +371,7 @@ impl Checker for K8S04020400Checker {
 
     fn metadata(&self) -> CheckerMetadata {
         CheckerMetadata {
-            title: "Verify that the --read-only-port argument is set to 0".to_string(),
+            title: "Verify that if defined, readOnlyPort is set to 0".to_string(),
             id: "4.2.4".to_string(),
             level: 1,
             name: "k8s04020400".to_string(),
@@ -722,3 +723,129 @@ impl Checker for K8S04021300Checker {
         }
     }
 }
+
+// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=
+
+pub struct K8S04021400Checker {}
+
+impl Checker for K8S04021400Checker {
+    fn execute(&self) -> CheckerResult {
+        #[derive(Deserialize)]
+        struct KubeletConfig {
+            #[serde(rename = "seccompDefault")]
+            seccomp_default: bool,
+        }
+
+        let mut result = CheckerResult::default();
+
+        if let Ok(kubelet_file) = File::open(KUBELET_CONF_FILE) {
+            if let Ok(config) = serde_yaml::from_reader::<_, KubeletConfig>(kubelet_file) {
+                if !config.seccomp_default {
+                    result.error = "Kubelet seccompDefault is not set to true".to_string();
+                    result.status = CheckStatus::FAIL;
+                } else {
+                    result.status = CheckStatus::PASS;
+                }
+            } else {
+                // If the setting is not present then seccompDefault is false by default
+                result.error =
+                    "Kubelet seccompDefault is not configured or set to true".to_string();
+                result.status = CheckStatus::FAIL;
+            }
+        } else {
+            result.error = format!("unable to read '{}'", KUBELET_CONF_FILE);
+        }
+
+        result
+    }
+
+    fn metadata(&self) -> CheckerMetadata {
+        CheckerMetadata {
+            title: "Ensure that the --seccomp-default parameter is set to true".to_string(),
+            id: "4.2.14".to_string(),
+            level: 1,
+            name: "k8s04021400".to_string(),
+            mode: Mode::Automatic,
+        }
+    }
+}
+// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=
+
+pub struct K8S04030100Checker {}
+impl Checker for K8S04030100Checker {
+    fn execute(&self) -> CheckerResult {
+        #[derive(Deserialize)]
+        struct KubeProxyConfig {
+            #[serde(rename = "metricsBindAddress")]
+            metrics_bind_address: String,
+        }
+        let mut result = CheckerResult::default();
+
+        if let Ok(kubelet_file) = File::open(KUBEPROXY_CONF_FILE) {
+            if let Ok(config) = serde_yaml::from_reader::<_, KubeProxyConfig>(kubelet_file) {
+                if config.metrics_bind_address.contains("0.0.0.0")
+                    || config.metrics_bind_address.contains("[::]")
+                {
+                    result.error =
+                        "Kubelet metricsBindAddress binds to more than localhost".to_string();
+                    result.status = CheckStatus::FAIL;
+                } else {
+                    result.status = CheckStatus::PASS;
+                }
+            } else {
+                // If the setting is not present it defaults to 127.0.0.1:10249 which is localhost only
+                result.status = CheckStatus::PASS;
+            }
+        } else {
+            result.error = format!("unable to read '{}'", KUBEPROXY_CONF_FILE);
+        }
+        result
+    }
+    fn metadata(&self) -> CheckerMetadata {
+        CheckerMetadata {
+            title: "Ensure that the kube-proxy metrics service is bound to localhost".to_string(),
+            id: "4.3.1".to_string(),
+            level: 1,
+            name: "k8s04030100".to_string(),
+            mode: Mode::Automatic,
+        }
+    }
+}
+
+// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=
+
+pub struct K8S04010300Checker {}
+impl Checker for K8S04010300Checker {
+    fn execute(&self) -> CheckerResult {
+        let no_x_xwr_xwr = S_IXUSR | S_IRWXG | S_IRWXO;
+        check_file_not_mode(KUBEPROXY_CONF_FILE, no_x_xwr_xwr)
+    }
+    fn metadata(&self) -> CheckerMetadata {
+        CheckerMetadata {
+            title: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive".to_string(),
+            id: "4.1.3".to_string(),
+            level: 1,
+            name: "k8s04010300".to_string(),
+            mode: Mode::Automatic,
+        }
+    }
+}
+
+// =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<= =>o.o<=
+
+pub struct K8S04010400Checker {}
+impl Checker for K8S04010400Checker {
+    fn execute(&self) -> CheckerResult {
+        ensure_file_owner_and_group_root(KUBEPROXY_CONF_FILE)
+    }
+    fn metadata(&self) -> CheckerMetadata {
+        CheckerMetadata {
+            title: "If proxy kubeconfig file exists ensure ownership is set to root:root"
+                .to_string(),
+            id: "4.1.4".to_string(),
+            level: 1,
+            name: "k8s04010400".to_string(),
+            mode: Mode::Automatic,
+        }
+    }
+}

sources/bloodhound/src/bin/kubernetes-cis-checks/main.rs

@@ -16,18 +16,24 @@ fn main() {
     let checker: Box<dyn Checker> = match cmd_name {
         "k8s04010100" => Box::new(K8S04010100Checker {}),
         "k8s04010200" => Box::new(K8S04010200Checker {}),
-        "k8s04010300" => Box::new(ManualChecker {
-            name: cmd_name.to_string(),
-            title: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive".to_string(),
-            id: "4.1.3".to_string(),
-            level: 1,
-        }),
-        "k8s04010400" => Box::new(ManualChecker {
-            name: cmd_name.to_string(),
-            title: "If proxy kubeconfig file exists ensure ownership is set to root:root".to_string(),
-            id: "4.1.4".to_string(),
-            level: 1,
-        }),
+        "k8s04010300" => match Path::new(KUBEPROXY_CONF_FILE).exists() {
+            true => Box::new(K8S04010300Checker {}),
+            false => Box::new(ManualChecker {
+                name: cmd_name.to_string(),
+                title: "If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive".to_string(),
+                id: "4.1.3".to_string(),
+                level: 1,
+            })
+        },
+        "k8s04010400" => match Path::new(KUBEPROXY_CONF_FILE).exists() {
+            true => Box::new(K8S04010400Checker {}),
+            false => Box::new(ManualChecker {
+                name: cmd_name.to_string(),
+                title: "If proxy kubeconfig file exists ensure ownership is set to root:root".to_string(),
+                id: "4.1.4".to_string(),
+                level: 1,
+            })
+        },
         "k8s04010500" => Box::new(K8S04010500Checker {}),
         "k8s04010600" => Box::new(K8S04010600Checker {}),
         "k8s04010700" => Box::new(K8S04010700Checker {}),
@@ -63,6 +69,23 @@ fn main() {
         "k8s04021100" => Box::new(K8S04021100Checker {}),
         "k8s04021200" => Box::new(K8S04021200Checker {}),
         "k8s04021300" => Box::new(K8S04021300Checker {}),
+        "k8s04021400" => Box::new(K8S04021400Checker {}),
+        "k8s04021500" => Box::new(ManualChecker {
+            name: cmd_name.to_string(),
+            title: "Ensure that the --IPAddressDeny is set to any".to_string(),
+            id: "4.2.15".to_string(),
+            level: 2,
+        }),
+       "k8s04030100" =>
+           match Path::new(KUBEPROXY_CONF_FILE).exists() {
+               true => Box::new(K8S04030100Checker {}),
+               false => Box::new(ManualChecker {
+                   name: cmd_name.to_string(),
+                   title: "Ensure that the kube-proxy metrics service is bound to localhost".to_string(),
+                   id: "4.3.1".to_string(),
+                   level: 1,
+               })
+         },
         &_ => {
             eprintln!("Command {cmd_name} is not supported.");
             return;