From 06df91835ba9898c8ca7bd2d686d157d9570488a Mon Sep 17 00:00:00 2001 From: ppastorf Date: Sun, 15 Jun 2025 16:13:05 -0300 Subject: [PATCH 1/3] WIP: introduce python to rework the way the checks are made --- .../master-old/1_control_plane_components.sh | 724 ++++++++++++++++++ 1.6.0-rework/master-old/2_etcd.sh | 81 ++ .../3_control_plane_configuration.sh | 24 + 1.6.0-rework/master-old/5_policies.sh | 99 +++ 1.6.0-rework/master/master.py | 53 ++ 1.6.0-rework/worker-old/4_worker_nodes.sh | 277 +++++++ src/__init__.py | 0 src/checks/__init__.py | 2 + .../__pycache__/__init__.cpython-313.pyc | Bin 0 -> 222 bytes src/checks/__pycache__/check.cpython-313.pyc | Bin 0 -> 2209 bytes .../__pycache__/file_checks.cpython-313.pyc | Bin 0 -> 3307 bytes src/checks/check.py | 50 ++ src/checks/file_checks.py | 75 ++ src/helper/__init__.py | 1 + .../__pycache__/__init__.cpython-313.pyc | Bin 0 -> 196 bytes src/helper/__pycache__/print.cpython-313.pyc | Bin 0 -> 1911 bytes src/helper/print.py | 55 ++ 17 files changed, 1441 insertions(+) create mode 100644 1.6.0-rework/master-old/1_control_plane_components.sh create mode 100644 1.6.0-rework/master-old/2_etcd.sh create mode 100644 1.6.0-rework/master-old/3_control_plane_configuration.sh create mode 100644 1.6.0-rework/master-old/5_policies.sh create mode 100755 1.6.0-rework/master/master.py create mode 100644 1.6.0-rework/worker-old/4_worker_nodes.sh create mode 100755 src/__init__.py create mode 100755 src/checks/__init__.py create mode 100644 src/checks/__pycache__/__init__.cpython-313.pyc create mode 100644 src/checks/__pycache__/check.cpython-313.pyc create mode 100644 src/checks/__pycache__/file_checks.cpython-313.pyc create mode 100755 src/checks/check.py create mode 100755 src/checks/file_checks.py create mode 100755 src/helper/__init__.py create mode 100644 src/helper/__pycache__/__init__.cpython-313.pyc create mode 100644 src/helper/__pycache__/print.cpython-313.pyc create mode 100755 src/helper/print.py diff --git a/1.6.0-rework/master-old/1_control_plane_components.sh b/1.6.0-rework/master-old/1_control_plane_components.sh new file mode 100644 index 0000000..7598914 --- /dev/null +++ b/1.6.0-rework/master-old/1_control_plane_components.sh @@ -0,0 +1,724 @@ +info "1 - Control Plane Components" + +info "1.1 - Master Node Configuration Files" + +check_1_1_1="1.1.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" +if [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then + # kops + file="/etc/kubernetes/manifests/kube-apiserver.manifest" +else + file="/etc/kubernetes/manifests/kube-apiserver.yaml" +fi +if [ -f $file ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_1_1_1" + else + warn "$check_1_1_1" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_1" + info " * File not found" +fi + +check_1_1_2="1.1.2 - Ensure that the API server pod specification file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_2" + else + warn "$check_1_1_2" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_2" +fi + +check_1_1_3="1.1.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)" +if [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then + # kops + file="/etc/kubernetes/manifests/kube-controller-manager.manifest" +else + file="/etc/kubernetes/manifests/kube-controller-manager.yaml" +fi + +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_3" + else + warn "$check_1_1_3" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_3" + info " * File not found" +fi + +check_1_1_4="1.1.4 - Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_4" + else + warn "$check_1_1_4" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_4" +fi + +check_1_1_5="1.1.5 - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)" +if [ -f "/etc/kubernetes/manifests/kube-scheduler.yaml" ]; then + file="/etc/kubernetes/manifests/kube-scheduler.yaml" +else + # kops + file="/etc/kubernetes/manifests/kube-scheduler.manifest" +fi + +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_5" + else + warn "$check_1_1_5" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_5" + info " * File not found" +fi + +check_1_1_6="1.1.6 - Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_6" + else + warn "$check_1_1_6" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_6" +fi + +check_1_1_7="1.1.7 - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" +if [ -f "/etc/kubernetes/manifests/etcd.yaml" ]; then + file="/etc/kubernetes/manifests/etcd.yaml" +else + # kops + file="/etc/kubernetes/manifests/etcd.manifest" +fi + +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_7" + else + warn "$check_1_1_7" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_7" + info " * File not found" +fi + +check_1_1_8="1.1.8 - Ensure that the etcd pod specification file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_8" + else + warn "$check_1_1_8" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_8" +fi + +#todo find CNI file location +check_1_1_9="1.1.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" +info "$check_1_1_9 + Audit: + Run the below command (based on the file location on your system) on the master node. For example, + stat -c %a + Verify that the permissions are 644 or more restrictive." + +check_1_1_10="1.1.10 - Ensure that the Container Network Interface file ownership is set to root:root (Manual)" +info "$check_1_1_10 + Audit: + Run the below command (based on the file location on your system) on the master node. For example, + stat -c %U:%G + Verify that the ownership is set to root:root." + +check_1_1_11="1.1.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" +file="" +if check_argument "$CIS_ETCD_CMD" '--data-dir' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir'|cut -d " " -f 1) +fi +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 700 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_11" + else + warn "$check_1_1_11" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_11" + info " * etcd data directory not found." +fi + +check_1_1_12="1.1.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %U:%G $file)" = "etcd:etcd" ]; then + pass "$check_1_1_12" + else + warn "$check_1_1_12" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_12" + info " * etcd data directory not found." +fi + +check_1_1_13="1.1.13 - Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)" +file="/etc/kubernetes/admin.conf" +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_13" + else + warn "$check_1_1_13" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_13" + info " * File not found" +fi + +check_1_1_14="1.1.14 - Ensure that the admin.conf file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_14" + else + warn "$check_1_1_14" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_14" +fi + +check_1_1_15="1.1.15 - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" +file="/etc/kubernetes/scheduler.conf" +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_15" + else + warn "$check_1_1_15" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_15" + info " * File not found" +fi + +check_1_1_16="1.1.16 - Ensure that the scheduler.conf file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_16" + else + warn "$check_1_1_16" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_16" +fi + +check_1_1_17="1.1.17 - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" +file="/etc/kubernetes/controller-manager.conf" +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_1_1_17" + else + warn "$check_1_1_17" + warn " * Wrong permissions for $file" + fi +else + info "$check_1_1_17" + info " * File not found" +fi + +check_1_1_18="1.1.18 - Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_1_1_18" + else + warn "$check_1_1_18" + warn " * Wrong ownership for $file" + fi +else + info "$check_1_1_18" +fi + +check_1_1_19="1.1.19 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" +file="/etc/kubernetes/pki/" +files=$(find $file) +pass=true +for f in ${files}; do + if [ "$(stat -c %u%g $f)" != 00 ]; then + pass=false; + break; + fi +done + +if [ "$pass" = "true" ]; then + pass "$check_1_1_19" +else + warn "$check_1_1_19" +fi + +check_1_1_20="1.1.20 - Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" +files=$(find $file -name "*.crt") +pass=true +for f in ${files}; do + if ! [ "$(stat -c %a $f)" -eq 644 -o "$(stat -c %a $f)" -eq 600 -o "$(stat -c %a $f)" -eq 400 ]; then + pass=false; + break; + fi +done + +if [ "$pass" = "true" ]; then + pass "$check_1_1_20" +else + warn "$check_1_1_20" +fi + +check_1_1_21="1.1.21 - Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" +files=$(find $file -name "*.key") +pass=true +for f in ${files}; do + if ! [ "$(stat -c %a $f)" -eq 600 ]; then + pass=false; + break; + fi +done + +if [ "$pass" = "true" ]; then + pass "$check_1_1_21" +else + warn "$check_1_1_21" +fi + +info "1.2 - API Server" + +check_1_2_1="1.2.1 - Ensure that the --anonymous-auth argument is set to false (Manual)" +if check_argument "$CIS_APISERVER_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then + pass "$check_1_2_1" +else + warn "$check_1_2_1" +fi + +check_1_2_2="1.2.2 - Ensure that the --basic-auth-file argument is not set (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--basic-auth-file' >/dev/null 2>&1; then + warn "$check_1_2_2" +else + pass "$check_1_2_2" +fi + +check_1_2_3="1.2.3 - Ensure that the --token-auth-file parameter is not set (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--token-auth-file' >/dev/null 2>&1; then + warn "$check_1_2_3" +else + pass "$check_1_2_3" +fi + +check_1_2_4="1.2.4 - Ensure that the --kubelet-https argument is set to true (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--kubelet-https=false' >/dev/null 2>&1; then + warn "$check_1_2_4" +else + pass "$check_1_2_4" +fi + +check_1_2_5="1.2.5 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-certificate' >/dev/null 2>&1; then + if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-key' >/dev/null 2>&1; then + certificate=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-certificate') + key=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-key') + pass "$check_1_2_5" + pass " * kubelet-client-certificate: $certificate" + pass " * kubelet-client-key: $key" + else + warn "$check_1_2_5" + fi +else + warn "$check_1_2_5" +fi + +check_1_2_6="1.2.6 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--kubelet-certificate-authority' >/dev/null 2>&1; then + pass "$check_1_2_6" +else + warn "$check_1_2_6" +fi + +check_1_2_7="1.2.7 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'AlwaysAllow' >/dev/null 2>&1; then + warn "$check_1_2_7" +else + pass "$check_1_2_7" +fi + +check_1_2_8="1.2.8 - Ensure that the --authorization-mode argument includes Node (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'Node' >/dev/null 2>&1; then + pass "$check_1_2_8" +else + warn "$check_1_2_8" +fi + +check_1_2_9="1.2.9 - Ensure that the --authorization-mode argument includes RBAC (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'RBAC' >/dev/null 2>&1; then + pass "$check_1_2_9" +else + warn "$check_1_2_9" +fi + +check_1_2_10="1.2.10 - Ensure that the admission control plugin EventRateLimit is set (Manual)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'EventRateLimit' >/dev/null 2>&1; then + pass "$check_1_2_10" +else + warn "$check_1_2_10" +fi + +check_1_2_11="1.2.11 - Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'AlwaysAdmit' >/dev/null 2>&1; then + warn "$check_1_2_11" +else + pass "$check_1_2_11" +fi + +check_1_2_12="1.2.12 - Ensure that the admission control plugin AlwaysPullImages is set (Manual)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'AlwaysPullImages' >/dev/null 2>&1; then + pass "$check_1_2_12" +else + warn "$check_1_2_12" +fi + +check_1_2_13="1.2.13 - Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'PodSecurityPolicy' >/dev/null 2>&1; then + pass "$check_1_2_13" +else + if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'SecurityContextDeny' >/dev/null 2>&1; then + pass "$check_1_2_13" + else + warn "$check_1_2_13" + fi +fi + +check_1_2_14="1.2.14 - Ensure that the admission control plugin ServiceAccount is set (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--disable-admission-plugins'| grep 'ServiceAccount' >/dev/null 2>&1; then + warn "$check_1_2_14" +else + pass "$check_1_2_14" +fi + +check_1_2_15="1.2.15 - Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--disable-admission-plugins'| grep 'NamespaceLifecycle' >/dev/null 2>&1; then + warn "$check_1_2_15" +else + pass "$check_1_2_15" +fi + +check_1_2_16="1.2.16 - Ensure that the admission control plugin PodSecurityPolicy is set (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'PodSecurityPolicy' >/dev/null 2>&1; then + pass "$check_1_2_16" +else + warn "$check_1_2_16" +fi + +check_1_2_17="1.2.17 - Ensure that the admission control plugin NodeRestriction is set (Automated)" +if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'NodeRestriction' >/dev/null 2>&1; then + pass "$check_1_2_17" +else + warn "$check_1_2_17" +fi + +check_1_2_18="1.2.18 - Ensure that the --insecure-bind-address argument is not set (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--insecure-bind-address' >/dev/null 2>&1; then + warn "$check_1_2_18" +else + pass "$check_1_2_18" +fi + +check_1_2_19="1.2.19 - Ensure that the --insecure-port argument is set to 0 (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--insecure-port' >/dev/null 2>&1; then + port=$(get_argument_value "$CIS_APISERVER_CMD" '--insecure-port'|cut -d " " -f 1) + if [ "$port" = "0" ]; then + pass "$check_1_2_19" + else + warn "$check_1_2_19" + warn " * insecure-port: $port" + fi +else + warn "$check_1_2_19" +fi + +check_1_2_20="1.2.20 - Ensure that the --secure-port argument is not set to 0 (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--secure-port' >/dev/null 2>&1; then + port=$(get_argument_value "$CIS_APISERVER_CMD" '--secure-port'|cut -d " " -f 1) + if [ "$port" = "0" ]; then + warn "$check_1_2_20" + warn " * secure-port: $port" + else + pass "$check_1_2_20" + fi +else + pass "$check_1_2_20" +fi + +check_1_2_21="1.2.21 - Ensure that the --profiling argument is set to false (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--profiling=false' >/dev/null 2>&1; then + pass "$check_1_2_21" +else + warn "$check_1_2_21" +fi + +check_1_2_22="1.2.22 - Ensure that the --audit-log-path argument is set (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--audit-log-path' >/dev/null 2>&1; then + pass "$check_1_2_22" +else + warn "$check_1_2_22" +fi + +check_1_2_23="1.2.23 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxage' >/dev/null 2>&1; then + maxage=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxage'|cut -d " " -f 1) + if [ "$maxage" -ge "30" ]; then + pass "$check_1_2_23" + pass " * audit-log-maxage: $maxage" + else + warn "$check_1_2_23" + warn " * audit-log-maxage: $maxage" + fi +else + warn "$check_1_2_23" +fi + +check_1_2_24="1.2.24 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxbackup' >/dev/null 2>&1; then + maxbackup=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxbackup'|cut -d " " -f 1) + if [ "$maxbackup" -ge "10" ]; then + pass "$check_1_2_24" + pass " * audit-log-maxbackup: $maxbackup" + else + warn "$check_1_2_24" + warn " * audit-log-maxbackup: $maxbackup" + fi +else + warn "$check_1_2_24" +fi + +check_1_2_25="1.2.25 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxsize' >/dev/null 2>&1; then + maxsize=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxsize'|cut -d " " -f 1) + if [ "$maxsize" -ge "100" ]; then + pass "$check_1_2_25" + pass " * audit-log-maxsize: $maxsize" + else + warn "$check_1_2_25" + warn " * audit-log-maxsize: $maxsize" + fi +else + warn "$check_1_2_25" +fi + +check_1_2_26="1.2.26 - Ensure that the --request-timeout argument is set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--request-timeout' >/dev/null 2>&1; then + requestTimeout=$(get_argument_value "$CIS_APISERVER_CMD" '--request-timeout') + warn "$check_1_2_26" + warn " * request-timeout: $requestTimeout" +else + pass "$check_1_2_26" +fi + +check_1_2_27="1.2.27 - Ensure that the --service-account-lookup argument is set to true (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--service-account-lookup=false' >/dev/null 2>&1; then + warn "$check_1_2_27" +else + pass "$check_1_2_27" +fi + +check_1_2_28="1.2.28 - Ensure that the --service-account-key-file argument is set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--service-account-key-file' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_APISERVER_CMD" '--service-account-key-file') + pass "$check_1_2_28" + pass " * service-account-key-file: $file" +else + warn "$check_1_2_28" +fi + +check_1_2_29="1.2.29 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--etcd-certfile' >/dev/null 2>&1; then + if check_argument "$CIS_APISERVER_CMD" '--etcd-keyfile' >/dev/null 2>&1; then + certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-certfile') + keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-keyfile') + pass "$check_1_2_29" + pass " * etcd-certfile: $certfile" + pass " * etcd-keyfile: $keyfile" + else + warn "$check_1_2_29" + fi +else + warn "$check_1_2_29" +fi + +check_1_2_30="1.2.30 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--tls-cert-file' >/dev/null 2>&1; then + if check_argument "$CIS_APISERVER_CMD" '--tls-private-key-file' >/dev/null 2>&1; then + certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cert-file') + keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-private-key-file') + pass "$check_1_2_30" + pass " * tls-cert-file: $certfile" + pass " * tls-private-key-file: $keyfile" + else + warn "$check_1_2_30" + fi +else + warn "$check_1_2_30" +fi + +check_1_2_31="1.2.31 - Ensure that the --client-ca-file argument is set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then + cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') + pass "$check_1_2_31" + pass " * client-ca-file: $cafile" +else + warn "$check_1_2_31" +fi + +check_1_2_32="1.2.32 - Ensure that the --etcd-cafile argument is set as appropriate (Automated)" +if check_argument "$CIS_APISERVER_CMD" '--etcd-cafile' >/dev/null 2>&1; then + cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-cafile') + pass "$check_1_2_32" + pass " * etcd-cafile: $cafile" +else + warn "$check_1_2_32" +fi + +check_1_2_33="1.2.33 - Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" +if get_argument_value "$CIS_APISERVER_CMD" '--encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then + pass "$check_1_2_33" +else + warn "$check_1_2_33" +fi + +check_1_2_34="1.2.34 - Ensure that encryption providers are appropriately configured (Manual)" +if check_argument "$CIS_APISERVER_CMD" '--encryption-provider-config' >/dev/null 2>&1; then + encryptionConfig=$(get_argument_value "$CIS_APISERVER_CMD" '--encryption-provider-config') + if [ -f "$encryptionConfig" ]; then + if [ $(grep -c "\- aescbc:\|\- kms:\|\- secretbox:" $encryptionConfig) -ne 0 ]; then + pass "$check_1_2_34" + else + warn "$check_1_2_34" + fi + else + warn "$check_1_2_34" + fi +else + warn "$check_1_2_34" +fi +#if get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then +# encryptionConfig=$(get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config') +# if sed ':a;N;$!ba;s/\n/ /g' $encryptionConfig |grep "providers:\s* - aescbc" >/dev/null 2>&1; then +# pass "$check_1_2_34" +# else +# warn "$check_1_2_34" +# fi +#else +# warn "$check_1_2_34" +#fi + +check_1_2_35="1.2.35 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" +if check_argument "$CIS_APISERVER_CMD" '--tls-cipher-suites' >/dev/null 2>&1; then + ciphers=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cipher-suites'|cut -d " " -f 1) + found=$(echo $ciphers| sed -rn '/(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)/p') + if [ ! -z "$found" ]; then + pass "$check_1_2_35" + else + warn "$check_1_2_35" + fi +else + warn "$check_1_2_35" +fi + +info "1.3 - Controller Manager" + +check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" +# Filter out processes like "/bin/tee -a /var/log/kube-controller-manager.log" +# which exist on kops-managed clusters. +if check_argument "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold' >/dev/null 2>&1; then + threshold=$(get_argument_value "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold') + pass "$check_1_3_1" + pass " * terminated-pod-gc-threshold: $threshold" +else + warn "$check_1_3_1" +fi + +check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false (Automated)" +if check_argument "$CIS_MANAGER_CMD" '--profiling=false' >/dev/null 2>&1; then + pass "$check_1_3_2" +else + warn "$check_1_3_2" +fi + +check_1_3_3="1.3.3 - Ensure that the --use-service-account-credentials argument is set to true (Automated)" +if check_argument "$CIS_MANAGER_CMD" '--use-service-account-credentials=true' >/dev/null 2>&1; then + pass "$check_1_3_3" +else + warn "$check_1_3_3" +fi + +check_1_3_4="1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" +if check_argument "$CIS_MANAGER_CMD" '--service-account-private-key-file' >/dev/null 2>&1; then + keyfile=$(get_argument_value "$CIS_MANAGER_CMD" '--service-account-private-key-file') + pass "$check_1_3_4" + pass " * service-account-private-key-file: $keyfile" +else + warn "$check_1_3_4" +fi + +check_1_3_5="1.3.5 - Ensure that the --root-ca-file argument is set as appropriate (Automated)" +if check_argument "$CIS_MANAGER_CMD" '--root-ca-file' >/dev/null 2>&1; then + cafile=$(get_argument_value "$CIS_MANAGER_CMD" '--root-ca-file') + pass "$check_1_3_5" + pass " * root-ca-file: $cafile" +else + warn "$check_1_3_5" +fi + +check_1_3_6="1.3.6 - Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" +if check_argument "$CIS_MANAGER_CMD" '--feature-gates' >/dev/null 2>&1; then + serverCert=$(get_argument_value "$CIS_MANAGER_CMD" '--feature-gates') + found=$(echo $serverCert| grep 'RotateKubeletServerCertificate=true') + if [ ! -z $found ]; then + pass "$check_1_3_6" + else + warn "$check_1_3_6" + fi +else + warn "$check_1_3_6" +fi + +check_1_3_7="1.3.7 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" +if get_argument_value "$CIS_MANAGER_CMD" '--bind-address'| grep '127.0.0.1' >/dev/null 2>&1; then + pass "$check_1_3_7" +else + warn "$check_1_3_7" +fi + +info "1.4 - Scheduler" + +check_1_4_1="1.4.1 - Ensure that the --profiling argument is set to false (Automated)" +if check_argument "$CIS_SCHEDULER_CMD" '--profiling=false' >/dev/null 2>&1; then + pass "$check_1_4_1" +else + warn "$check_1_4_1" +fi + +check_1_4_2="1.4.2 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" +if get_argument_value "$CIS_SCHEDULER_CMD" '--bind-address'| grep '127.0.0.1' >/dev/null 2>&1; then + pass "$check_1_4_2" +else + warn "$check_1_4_2" +fi diff --git a/1.6.0-rework/master-old/2_etcd.sh b/1.6.0-rework/master-old/2_etcd.sh new file mode 100644 index 0000000..5bd6c30 --- /dev/null +++ b/1.6.0-rework/master-old/2_etcd.sh @@ -0,0 +1,81 @@ +info "2 - etcd" + +check_2_1="2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" +if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then + if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then + cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') + kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') + pass "$check_2_1" + pass " * cert-file: $cfile" + pass " * key-file: $kfile" + else + warn "$check_2_1" + fi +else + warn "$check_2_1" +fi + +check_2_2="2.2 - Ensure that the --client-cert-auth argument is set to true (Automated)" +if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then + pass "$check_2_2" +else + warn "$check_2_2" +fi + +check_2_3="2.3 - Ensure that the --auto-tls argument is not set to true (Automated)" +if check_argument "$CIS_ETCD_CMD" '--auto-tls=true' >/dev/null 2>&1; then + warn "$check_2_3" +else + pass "$check_2_3" +fi + +check_2_4="2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" +if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then + if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then + cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') + kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') + pass "$check_2_4" + pass " * peer-cert-file: $cfile" + pass " * peer-key-file: $kfile" + else + warn "$check_2_4" + fi +else + warn "$check_2_4" +fi + +check_2_5="2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Automated)" +if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth=true' >/dev/null 2>&1; then + pass "$check_2_5" +else + warn "$check_2_5" +fi + +check_2_6="2.6 - Ensure that the --peer-auto-tls argument is not set to true (Automated)" +if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then + warn "$check_2_6" +else + pass "$check_2_6" +fi + +#todo apiserver vs kube-apiserver +check_2_7="2.7 - Ensure that a unique Certificate Authority is used for etcd (Manual)" +if check_argument "$CIS_ETCD_CMD" '--trusted-ca-file' >/dev/null 2>&1; then + if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then + tfile=$(get_argument_value "$CIS_ETCD_CMD" '--trusted-ca-file') + cfile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') + if [ "$tfile" = "$cfile" ]; then + pass "$check_2_7" + pass " * trusted-ca-file: $tfile" + pass " * client-ca-file: $cfile" + else + warn "$check_2_7" + fi + else + warn "$check_2_7" + warn " * client-ca-file doesn't exist" + fi +else + warn "$check_2_7" + warn " * trusted-ca-file doesn't exist" +fi diff --git a/1.6.0-rework/master-old/3_control_plane_configuration.sh b/1.6.0-rework/master-old/3_control_plane_configuration.sh new file mode 100644 index 0000000..9e15658 --- /dev/null +++ b/1.6.0-rework/master-old/3_control_plane_configuration.sh @@ -0,0 +1,24 @@ +info "3 - Control Plane Configuration" + +info "3.1 - Authentication and Authorization" + +check_3_1_1="3.1.1 - Client certificate authentication should not be used for users (Manual)" +info "$check_3_1_1" +info " * Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication." + +info "3.2 - Logging" + +check_3_2_1="3.2.1 - Ensure that a minimal audit policy is created (Manual)" +if check_argument "$CIS_APISERVER_CMD" '--audit-policy-file' >/dev/null 2>&1; then + auditPolicyFile=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-policy-file') + pass "$check_3_2_1" + pass " * audit-policy-file: $auditPolicyFile" +else + warn "$check_3_2_1" +fi + +check_3_2_2="3.2.2 - Ensure that the audit policy covers key security concerns (Manual)" +info "$check_3_2_2" +info " * Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data." +info " * Modification of pod and deployment objects." +info " * Use of pods/exec, pods/portforward, pods/proxy and services/proxy." diff --git a/1.6.0-rework/master-old/5_policies.sh b/1.6.0-rework/master-old/5_policies.sh new file mode 100644 index 0000000..9b2afba --- /dev/null +++ b/1.6.0-rework/master-old/5_policies.sh @@ -0,0 +1,99 @@ +info "5 - Policies" +info "5.1 - RBAC and Service Accounts" + +# Make the loop separator be a new-line in POSIX compliant fashion +set -f; IFS=$' +' + +check_5_1_1="5.1.1 - Ensure that the cluster-admin role is only used where required (Manual)" +cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) +info "$check_5_1_1" +for admin in $cluster_admins; do + info " * $admin" +done + +check_5_1_2="5.1.2 - Minimize access to secrets (Manual)" +policies=$(kubectl get psp) +info "$check_5_1_2" +for policy in $policies; do + info " * $policy" +done + +check_5_1_3="5.1.3 - Create administrative boundaries between resources using namespaces (Manual)" +namespaces=$(kubectl get namespaces) +info "$check_5_1_3" +for namespace in $namespaces; do + info " * $namespace" +done + +check_5_1_4="5.1.4 - Create network segmentation using Network Policies (Manual)" +policies=$(kubectl get pods --namespace=kube-system) +info "$check_5_1_4" +for policy in $policies; do + info " * $policy" +done + +check_5_1_5="5.1.5 - Avoid using Kubernetes Secrets (Manual)" +secrets=$(kubectl get secrets) +info "$check_5_1_5" +for secret in $secrets; do + info " * $secret" +done + +#TODO +check_5_1_6="5.1.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" +info "$check_5_1_6" +check_5_1_7="5.1.7 - Apply Security Context to Your Pods and Containers (Manual)" +info "$check_5_1_7" +check_5_1_8="5.1.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" +info "$check_5_1_8" +check_5_1_9="5.1.9 - Place compensating controls in the form of PSP and RBAC for privileged containers usage (Manual)" +info "$check_5_1_9" + +info "5.2 - Pod Security Policies" + +check_5_2_1="5.2.1 - Minimize the admission of privileged containers (Manual)" +info "$check_5_2_1" +check_5_2_2="5.2.2 - Minimize the admission of containers wishing to share the host process ID namespace (Manual)" +info "$check_5_2_2" +check_5_2_3="5.2.3 - Minimize the admission of containers wishing to share the host IPC namespace (Manual)" +info "$check_5_2_3" +check_5_2_4="5.2.4 - Minimize the admission of containers wishing to share the host network namespace (Manual)" +info "$check_5_2_4" +check_5_2_5="5.2.5 - Minimize the admission of containers with allowPrivilegeEscalation (Manual)" +info "$check_5_2_5" +check_5_2_6="5.2.6 - Minimize the admission of root containers (Manual)" +info "$check_5_2_6" +check_5_2_7="5.2.7 - Minimize the admission of containers with the NET_RAW capability (Manual)" +info "$check_5_2_7" +check_5_2_8="5.2.8 - Minimize the admission of containers with added capabilities (Manual)" +info "$check_5_2_8" +check_5_2_9="5.2.9 - Minimize the admission of containers with capabilities assigned (Manual)" +info "$check_5_2_9" + +info "5.3 - Network Policies and CNI" +check_5_3_1="5.3.1 - Ensure that the CNI in use supports Network Policies (Manual)" +info "$check_5_3_1" +check_5_3_2="5.3.2 - Ensure that all Namespaces have Network Policies defined (Manual)" +info "$check_5_3_2" + +info "5.4 - Secrets Management" +check_5_4_1="5.4.1 - Prefer using secrets as files over secrets as environment variables (Manual)" +info "$check_5_4_1" +check_5_4_2="5.4.2 - Consider external secret storage (Manual)" +info "$check_5_4_2" + +info "5.5 - Extensible Admission Control" +check_5_5_1="5.5.1 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" +info "$check_5_5_1" + +info "5.7 - General Policies" +check_5_7_1="5.7.1 - Create administrative boundaries between resources using namespaces (Manual)" +info "$check_5_7_1" +#todo remedition +check_5_7_2="5.7.2 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" +info "$check_5_7_2" +check_5_7_3="5.7.3 - Apply Security Context to Your Pods and Containers (Manual)" +info "$check_5_6_3" +check_5_7_4="5.7.4 - The default namespace should not be used (Manual)" +info "$check_5_7_4" diff --git a/1.6.0-rework/master/master.py b/1.6.0-rework/master/master.py new file mode 100755 index 0000000..36d3ec3 --- /dev/null +++ b/1.6.0-rework/master/master.py @@ -0,0 +1,53 @@ +#!/bin/env python3 + +import sys +import os + +# Make it able to import src/ +sys.path.append( + os.path.abspath( + os.path.join( + os.path.dirname(__file__), '../../src' + ) + ) +) + +from checks import FilePermissionCheck, FileOwnershipCheck +from helper import PrintHeader, PrintInfo + +if __name__ == '__main__': + PrintHeader() + PrintInfo("info", "1 - Control Plane Components") + PrintInfo("info", "1.1 - Master Node Configuration Files") + + kops = False + if kops: + in_file = "/etc/kubernetes/manifests/kube-apiserver.manifest" + else: + in_file = "/etc/kubernetes/manifests/kube-apiserver.yaml" + + check_1_1_1 = FilePermissionCheck( + title="1.1.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)", + level=1, + automated=True, + scored=True, + file=in_file, + max_allowed=0o644, + ) + + check_1_1_1.Run() + check_1_1_1.Print() + + check_1_1_2 = FileOwnershipCheck( + title="1.1.2 - Ensure that the API server pod specification file ownership is set to root:root (Automated)", + level=1, + automated=True, + scored=True, + file=in_file, + required_uid=0, + required_gid=0, + ) + + check_1_1_2.Run() + check_1_1_2.Print() + diff --git a/1.6.0-rework/worker-old/4_worker_nodes.sh b/1.6.0-rework/worker-old/4_worker_nodes.sh new file mode 100644 index 0000000..c2ca967 --- /dev/null +++ b/1.6.0-rework/worker-old/4_worker_nodes.sh @@ -0,0 +1,277 @@ +info "4.1 - Worker Node Configuration Files" + +check_4_1_1="4.1.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" +file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_4_1_1" + else + warn "$check_4_1_1" + warn " * Wrong permissions for $file" + fi +else + info "$check_4_1_1" + info " * The kubelet service file not found" +fi + +check_4_1_2="4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Automated)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_4_1_2" + else + warn "$check_4_1_2" + warn " * Wrong ownership for $file" + fi +else + info "$check_4_1_2" +fi + +check_4_1_3="4.1.3 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Manual)" +file="" +if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) +fi + +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_4_1_3" + else + warn "$check_4_1_3" + warn " * Wrong permissions for $file" + fi +else + info "$check_4_1_3" + info " * kubeconfig file not found" +fi + +check_4_1_4="4.1.4 - Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_4_1_4" + else + warn "$check_4_1_4" + warn " * Wrong ownership for $file" + fi +else + info "$check_4_1_4" + info " * kubeconfig file not found" +fi + +check_4_1_5="4.1.5 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Automated)" +if [ -f "/var/lib/kube-proxy/kubeconfig" ]; then + # kops + file="/var/lib/kube-proxy/kubeconfig" +else + file="/etc/kubernetes/proxy" +fi + +if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_4_1_5" + else + warn "$check_4_1_5" + warn " * Wrong permissions for $file" + fi +else + info "$check_4_1_5" + info " * File not found" +fi + +check_4_1_6="4.1.6 - Ensure that the kubelet.conf file ownership is set to root:root (Manual)" +if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_4_1_6" + else + warn "$check_4_1_6" + warn " * Wrong ownership for $file" + fi +else + info "$check_4_1_6" +fi + +check_4_1_7="4.1.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_4_1_7" + pass " * client-ca-file: $file" + else + warn "$check_4_1_7" + warn " * Wrong permissions for $file" + fi +else + info "$check_4_1_7" + info " * --client-ca-file not set" +fi + +check_4_1_8="4.1.8 - Ensure that the client certificate authorities file ownership is set to root:root (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_4_1_8" + pass " * client-ca-file: $file" + else + warn "$check_4_1_8" + warn " * Wrong ownership for $file" + fi +else + info "$check_4_1_8" + info " * --client-ca-file not set" +fi + +check_4_1_9="4.1.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then + pass "$check_4_1_9" + pass " * kubelet configuration file: $file" + else + warn "$check_4_1_9" + warn " * Wrong permissions for $file" + fi +else + info "$check_4_1_9" + info " * kubelet configuration file not set" +fi + +check_4_1_10="4.1.10 - Ensure that the kubelet configuration file ownership is set to root:root (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then + file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_4_1_10" + pass " * kubelet configuration file: $file" + else + warn "$check_4_1_10" + warn " * Wrong ownership for $file" + fi +else + info "$check_4_1_10" + info " * kubelet configuration file not set" +fi + +info "4.2 - Kubelet" + +#todo review all audits +check_4_2_1="4.2.1 - Ensure that the anonymous-auth argument is set to false (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then + pass "$check_4_2_1" +else + warn "$check_4_2_1" +fi + +check_4_2_2="4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then + warn "$check_4_2_2" +else + pass "$check_4_2_2" +fi + +check_4_2_3="4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then + cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') + pass "$check_4_2_3" + pass " * client-ca-file: $cafile" +else + warn "$check_4_2_3" +fi + +check_4_2_4="4.2.4 - Ensure that the --read-only-port argument is set to 0 (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then + port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) + if [ $port = "0" ]; then + pass "$check_4_2_4" + else + warn "$check_4_2_4" + warn " * read-only-port: $port" + fi +else + warn "$check_4_2_4" +fi + +check_4_2_5="4.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then + timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') + warn "$check_4_2_5" + warn " * streaming-connection-idle-timeout: $timeout" +else + pass "$check_4_2_5" +fi + +check_4_2_6="4.2.6 - Ensure that the --protect-kernel-defaults argument is set to true (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then + pass "$check_4_2_6" +else + warn "$check_4_2_6" +fi + +check_4_2_7="4.2.7 - Ensure that the --make-iptables-util-chains argument is set to true (Automated)" +if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then + pass "$check_4_2_7" +else + warn "$check_4_2_7" +fi + +check_4_2_8="4.2.8 - Ensure that the --hostname-override argument is not set (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then + warn "$check_4_2_8" +else + pass "$check_4_2_8" +fi + +check_4_2_9="4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--event-qps=0' >/dev/null 2>&1; then + pass "$check_4_2_9" +else + warn "$check_4_2_9" +fi + +check_4_2_10="4.2.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then + if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then + cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') + kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') + pass "$check_4_2_10" + pass " * tls-cert-file: $cfile" + pass " * tls-private-key-file: $kfile" + else + warn "$check_4_2_10" + fi +else + warn "$check_4_2_10" +fi + +check_4_2_11="4.2.11 - Ensure that the --rotate-certificates argument is not set to false (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then + event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) + if [ $event = "0" ]; then + pass "$check_4_2_11" + else + warn "$check_4_2_11" + warn " * event-qps: $event" + fi +else + warn "$check_4_2_11" +fi + +check_4_2_12="4.2.12 - Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" +file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" +found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file) +if [ -z "$found" ]; then + warn "$check_4_2_12" +else + pass "$check_4_2_12" +fi + +check_4_2_13="4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" +if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then + port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) + if [ $port = "0" ]; then + pass "$check_4_2_13" + else + warn "$check_4_2_13" + warn " * cadvisor-port: $port" + fi +else + warn "$check_4_2_13" +fi + diff --git a/src/__init__.py b/src/__init__.py new file mode 100755 index 0000000..e69de29 diff --git a/src/checks/__init__.py b/src/checks/__init__.py new file mode 100755 index 0000000..33ebec2 --- /dev/null +++ b/src/checks/__init__.py @@ -0,0 +1,2 @@ +from .check import * +from .file_checks import * \ No newline at end of file diff --git a/src/checks/__pycache__/__init__.cpython-313.pyc b/src/checks/__pycache__/__init__.cpython-313.pyc new file mode 100644 index 0000000000000000000000000000000000000000..72142788f6c27bdcf9e2be75a020ba4ce9aad569 GIT binary patch literal 222 zcmey&%ge<81iBLb83sW5F^B^LOi;#W2_R!CLoh=yqc?*&lLCar2x6r(X)?cL1WIc% z-eT19(`35Enw*iEoPCQsEi)%I9?ULY$?zFu(k&1D+`JO~Wc|?M)S_bjfYg+teEp)- zg8X9r?9!yvqP*0S)MDM_%wpZ7)V$=3+{B`6{oo27~M`<^~cUm>C%v?=XnmWsoXj2l4@^C^)kK literal 0 HcmV?d00001 diff --git a/src/checks/__pycache__/check.cpython-313.pyc b/src/checks/__pycache__/check.cpython-313.pyc new file mode 100644 index 0000000000000000000000000000000000000000..e8d75045879ddf11dfce7de2df463242925a5dbf GIT binary patch literal 2209 zcmcImO>7%g5Poa#uK(@)*!gkdu%)zN5veO^kZ7Z*5-p-cbwjq1f?{dotT&09&2D(R zhL%GWkpn?WNiUJg2?=rOt(-W(fg_wq6ros;93sJ`;^H=nxH9wBc7BBDiHY`mGxO&C z&7X6SNJI(HU)fs=zlntWfkKl&=5+7|44XtFnlMJ*7pS0+9`Z8L0$HL3hXcM54QOI9 za4DckS#n3D!FgE?J;fg1`p?6~>G>a0m^(=**6qv8(Dnzpg9RHBP{ml}Bk-Rb(nh2?uJ ztm_rK;^{g|a!+4q%6PDQ9$zc;+Cl?br9 zL9MsFMaXn32{551Xm-phChjWk0UoU>O_$2*(-*k;IlB;9?8R?i0{DSMaH^&Hx z5v&$y$)Dz~-(5Bh`0-G9#wisW{B9fO>&m?2DXPq(6}PG5-e!^8_m<7;lsc4&95qM9BRuo)>K489}U%3!;#ISUn^# H@J;>!kwva5 literal 0 HcmV?d00001 diff --git a/src/checks/__pycache__/file_checks.cpython-313.pyc b/src/checks/__pycache__/file_checks.cpython-313.pyc new file mode 100644 index 0000000000000000000000000000000000000000..b278f5cc7827b13f20504c84c73a5d12baa09d2d GIT binary patch literal 3307 zcmeHJ%}*Og6rZ(s*Pna@FyR|RpkyO~6Dgrh(xOU5L^TqjY%HP1?aHwiSTJicvkr+O zMW{VAQ4=9mib~W&dg!5?8uhQ}F+d}%Q6p7qFS((Zil~?Ny;*+%rQCY!Al|(9=EE~@ z-uwNwSW^=u(7dOv&J}%x{DwxkDJ7*i3Cd%l6I~i7l;|GaJ1)gN)DuOYJnoIlRF0As z(o1xujp%C9bHVGbrHb(S!0X@VRc9qF@Cv6)yplj_5?4N$GtQSY9vJ0IFJxwN~7 zD=UZj80=5sI7vb!oluW1QExv<%1K4{48T}Y1u*hjQ5Zyd9-=A=m%Eyk>zEzb1{VneuM%)k&28;hyi zMk<@lEt?rmtnc6onup6`Ftl%shG7-00g=XAV)MX1UZoEHiz6ULq{rks^lrPRB*-T+ zfk-C2XGuaHm4>A#nXb>`I?<-1*-~r?nI-GegeG%^<(Ev#{f1%LmSY$+08=SGtfq3A znc11@Nw}P%vy7_?%c2h$Mmn2f%rKY=^P|{S_;_s5c4FyRf|-=XCd~}Z#i+TIW3h$& z4U^iYW3s`t#RhMfc6x3xMHga>rekS*LKed~7_L6FbcddReR;6hDI)KPCw>h2BH$ zbjeP^oLO?c63r=y_2D*!Z+)o2uKq(VFfWu|wY+;~5Ry(xkZfhDu*#`Ru45{Qrh8z= z+Ok#cb?-$_^uRnwV&OY*>iX)6vIZG*>=~yT$}_9It_;ErY-zfFs;TNNYnLt&l7d_7 zD%_}YhpWDWcM_xJB@kQ9H!;R#3(9xh!~M*>Wm3zz!+nb;W2ss5&xlB|Gf~WksGW17 zGr7E-vHpUCT+>24V3@bfbl!o&^5htomr~9gSIyfNbC^hLD8ePkSBeMXs^M4;RHV$D zl*4_@F&1+f)6IMj#T)a0$VPNCeD!FQHly1+mACoHqmmK^a0dGl#0n{d>Q+ZqM+)JF z-|J4SEwD*iyX$v1!%hP^7ST&u--a2-nvNDzV+1XaibFdyjw{(M7Tpa)qG zBvm~KGy(YzG!fcI6JbFUHT!6ymN#JXTwS&SA?K_mmnAgV)XmZwgPJ$<7Bw?Q-pW9@ zD(0+}p$K>s(^2yZWai<@FwU-8I9ZSg)FPpmK~$IoF%OGCFi9MgLremp>xly?cuSF;jy3kw&Tf-cyenvc??4+`xrt*2X8K7 zLC>Ie9&fS_r-#vr0+6Wy36A#bu nv^!o&l8P#kf-gzSOVY6`cS~Js{ksIZ-BGC*jL07ZI^MxdZ3<1I!l zKOo6kP?VWhvXbF5NXsn`{oK3~{bc>n;?$yI{eaYzqI~_L)PnqC{p`}D)S|r9lGI|| zC%v?=pxKu>m;%p};X1 literal 0 HcmV?d00001 diff --git a/src/helper/__pycache__/print.cpython-313.pyc b/src/helper/__pycache__/print.cpython-313.pyc new file mode 100644 index 0000000000000000000000000000000000000000..afc0aaa53bde3bc3709c2c24f4ef0c059392b5c7 GIT binary patch literal 1911 zcmb_c&2Jk;6rZ)%yWVx|G)>#2aR>vUw5B9ZlR%+RMAQ=D)E^Oxn+hi?oAqG3S?^ji z>je9hqa$&R6mC8SsfQr(2js>z7bLR{r~>|gKm=#rti2%#aO;!i&HLKlyf^dS9!H}p z0$P13S7s7IzjDPVxhEWd2*Nhf5Jj3m1uZ}WT95`ck&0S~hBS#vnmmH2tVK0tIjpI$ zBFoCGr1g!UC*l)s`i9wUzqiU8DDtY7j9RZV!SX_HT<0TF2V}J zI=%sH8x;iDJSqfyDF&I&1m5a-Fe;%$AY1s(*6WU41r$R!%?8$sdd*?j zv2l&s4y1%>-LfiH=^rRIiSOIiFPmRG*dz|e>p}An18QWLnf3-Q+8Y*b*mVl^Chy(n zfCgcVuu1slh2HK2Rucg?RHIP3E3KNvhPm+#I_A&pew3_QPSQx`8C+X(krb(&q@-rE z zkN_+q{)v=Oh{B+ttQ%$o9tG{dG~Z1xqhwu5_`D^{#8?50#mW#@A%u2|C<18s3m z(?HwMsRi27+$Y%;SHKC$>q(+SIxR-FHx{V&%!B`w?IOn3T%}BaVf9M zReB>zimt@GbX>)2p~qELa-%0+PgT1Sp4{j69@iL0#XeE~+jbSNt5Z-59Rqy`7W*F9 zChDmDKSl>S!y{X%PBhjTd8K`=J+vzv48PGzJy!>xfp2tdEAvxy;PB;ZJLUG;cdzda zAB^7F$~=o+?3&6?*LTYYqqkd`=jsLi!PWTI0({Vkk8dqNR40DDwQwY%$l%Y>!NalF zb{@4KKAqov=O8}2mHrRY;rXam`ZrN&Ew{2e@9x}eSKE*GKHE$03;WmiuO6rmeh|~% z2quErY&H?0yf}J=v&)?EKBa@edXLbcm$-$unHyvdb%QYP-mOqRs2)`J(!%do?PA>| zAJA990rQGj2G~(h5CkYky|O8Fl*|9eE^bPHh^i3!eHaTFVJCQm_}(_U``-9pp6(s@ EH)cWFzyJUM literal 0 HcmV?d00001 diff --git a/src/helper/print.py b/src/helper/print.py new file mode 100755 index 0000000..e61f090 --- /dev/null +++ b/src/helper/print.py @@ -0,0 +1,55 @@ +#!/bin/env python3 + +bldred = '\033[1;31m' +bldgrn = '\033[1;32m' +bldblu = '\033[1;34m' +bldylw = '\033[1;33m' +bldcyn = '\033[1;36m' +bldgry = '\033[1;37m' +txtrst = '\033[0m' + +def PrintHeader(): + print(f'''{bldylw}# ------------------------------------------------------------------------------ +# Kubernetes CIS benchmark +# +# NeuVector, Inc. (c) 2020- +# +# NeuVector delivers an application and network intelligent container security +# solution that automatically adapts to protect running containers. Don’t let +# security concerns slow down your CI/CD processes. +# ------------------------------------------------------------------------------ +''') + +def PrintInfo(severity: str, message: str, level: int =None, automated=None, scored=None): + match level: + case None: + level_msg = "" + case _: + level_msg = f"[Level {level}]" + + match automated: + case None: + automated_msg = "" + case True: + automated_msg = f"{bldcyn}[Automated]{txtrst}" + case False: + automated_msg = f"{bldcyn}[Manual]{txtrst}" + + match scored: + case None: + scored_msg = "" + case True: + scored_msg = f"[Scored]" + case False: + scored_msg = f"[Not Scored]" + + + match severity: + case "info": + severity_msg = f"{bldblu}[INFO]{txtrst}" + case "pass": + severity_msg = f"{bldgrn}[PASS]{txtrst}" + case "warn": + severity_msg = f"{bldred}[WARN]{txtrst}" + + print(f"{severity_msg}{level_msg}{automated_msg}{scored_msg} {message}") From 6dd24c49cdfa7001a6a7352678332b70f0afe106 Mon Sep 17 00:00:00 2001 From: ppastorf Date: Sun, 15 Jun 2025 18:43:28 -0300 Subject: [PATCH 2/3] Remove pycache files --- src/checks/__pycache__/__init__.cpython-313.pyc | Bin 222 -> 0 bytes src/checks/__pycache__/check.cpython-313.pyc | Bin 2209 -> 0 bytes .../__pycache__/file_checks.cpython-313.pyc | Bin 3307 -> 0 bytes src/helper/__pycache__/__init__.cpython-313.pyc | Bin 196 -> 0 bytes src/helper/__pycache__/print.cpython-313.pyc | Bin 1911 -> 0 bytes 5 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 src/checks/__pycache__/__init__.cpython-313.pyc delete mode 100644 src/checks/__pycache__/check.cpython-313.pyc delete mode 100644 src/checks/__pycache__/file_checks.cpython-313.pyc delete mode 100644 src/helper/__pycache__/__init__.cpython-313.pyc delete mode 100644 src/helper/__pycache__/print.cpython-313.pyc diff --git a/src/checks/__pycache__/__init__.cpython-313.pyc b/src/checks/__pycache__/__init__.cpython-313.pyc deleted file mode 100644 index 72142788f6c27bdcf9e2be75a020ba4ce9aad569..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 222 zcmey&%ge<81iBLb83sW5F^B^LOi;#W2_R!CLoh=yqc?*&lLCar2x6r(X)?cL1WIc% z-eT19(`35Enw*iEoPCQsEi)%I9?ULY$?zFu(k&1D+`JO~Wc|?M)S_bjfYg+teEp)- zg8X9r?9!yvqP*0S)MDM_%wpZ7)V$=3+{B`6{oo27~M`<^~cUm>C%v?=XnmWsoXj2l4@^C^)kK diff --git a/src/checks/__pycache__/check.cpython-313.pyc b/src/checks/__pycache__/check.cpython-313.pyc deleted file mode 100644 index e8d75045879ddf11dfce7de2df463242925a5dbf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2209 zcmcImO>7%g5Poa#uK(@)*!gkdu%)zN5veO^kZ7Z*5-p-cbwjq1f?{dotT&09&2D(R zhL%GWkpn?WNiUJg2?=rOt(-W(fg_wq6ros;93sJ`;^H=nxH9wBc7BBDiHY`mGxO&C z&7X6SNJI(HU)fs=zlntWfkKl&=5+7|44XtFnlMJ*7pS0+9`Z8L0$HL3hXcM54QOI9 za4DckS#n3D!FgE?J;fg1`p?6~>G>a0m^(=**6qv8(Dnzpg9RHBP{ml}Bk-Rb(nh2?uJ ztm_rK;^{g|a!+4q%6PDQ9$zc;+Cl?br9 zL9MsFMaXn32{551Xm-phChjWk0UoU>O_$2*(-*k;IlB;9?8R?i0{DSMaH^&Hx z5v&$y$)Dz~-(5Bh`0-G9#wisW{B9fO>&m?2DXPq(6}PG5-e!^8_m<7;lsc4&95qM9BRuo)>K489}U%3!;#ISUn^# H@J;>!kwva5 diff --git a/src/checks/__pycache__/file_checks.cpython-313.pyc b/src/checks/__pycache__/file_checks.cpython-313.pyc deleted file mode 100644 index b278f5cc7827b13f20504c84c73a5d12baa09d2d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3307 zcmeHJ%}*Og6rZ(s*Pna@FyR|RpkyO~6Dgrh(xOU5L^TqjY%HP1?aHwiSTJicvkr+O zMW{VAQ4=9mib~W&dg!5?8uhQ}F+d}%Q6p7qFS((Zil~?Ny;*+%rQCY!Al|(9=EE~@ z-uwNwSW^=u(7dOv&J}%x{DwxkDJ7*i3Cd%l6I~i7l;|GaJ1)gN)DuOYJnoIlRF0As z(o1xujp%C9bHVGbrHb(S!0X@VRc9qF@Cv6)yplj_5?4N$GtQSY9vJ0IFJxwN~7 zD=UZj80=5sI7vb!oluW1QExv<%1K4{48T}Y1u*hjQ5Zyd9-=A=m%Eyk>zEzb1{VneuM%)k&28;hyi zMk<@lEt?rmtnc6onup6`Ftl%shG7-00g=XAV)MX1UZoEHiz6ULq{rks^lrPRB*-T+ zfk-C2XGuaHm4>A#nXb>`I?<-1*-~r?nI-GegeG%^<(Ev#{f1%LmSY$+08=SGtfq3A znc11@Nw}P%vy7_?%c2h$Mmn2f%rKY=^P|{S_;_s5c4FyRf|-=XCd~}Z#i+TIW3h$& z4U^iYW3s`t#RhMfc6x3xMHga>rekS*LKed~7_L6FbcddReR;6hDI)KPCw>h2BH$ zbjeP^oLO?c63r=y_2D*!Z+)o2uKq(VFfWu|wY+;~5Ry(xkZfhDu*#`Ru45{Qrh8z= z+Ok#cb?-$_^uRnwV&OY*>iX)6vIZG*>=~yT$}_9It_;ErY-zfFs;TNNYnLt&l7d_7 zD%_}YhpWDWcM_xJB@kQ9H!;R#3(9xh!~M*>Wm3zz!+nb;W2ss5&xlB|Gf~WksGW17 zGr7E-vHpUCT+>24V3@bfbl!o&^5htomr~9gSIyfNbC^hLD8ePkSBeMXs^M4;RHV$D zl*4_@F&1+f)6IMj#T)a0$VPNCeD!FQHly1+mACoHqmmK^a0dGl#0n{d>Q+ZqM+)JF z-|J4SEwD*iyX$v1!%hP^7ST&u--a2-nvNDzV+1XaibFdyjw{(M7Tpa)qG zBvm~KGy(YzG!fcI6JbFUHT!6ymN#JXTwS&SA?K_mmnAgV)XmZwgPJ$<7Bw?Q-pW9@ zD(0+}p$K>s(^2yZWai<@FwU-8I9ZSg)FPpmK~$IoF%OGCFi9MgLremp>xly?cuSF;jy3kw&Tf-cyenvc??4+`xrt*2X8K7 zLC>Ie9&fS_r-#vr0+6Wy36A#bu nv^!o&l8P#kf-gzSOVY6`cS~Js{ksIZ-BGC*jL07ZI^MxdZ3<1I!l zKOo6kP?VWhvXbF5NXsn`{oK3~{bc>n;?$yI{eaYzqI~_L)PnqC{p`}D)S|r9lGI|| zC%v?=pxKu>m;%p};X1 diff --git a/src/helper/__pycache__/print.cpython-313.pyc b/src/helper/__pycache__/print.cpython-313.pyc deleted file mode 100644 index afc0aaa53bde3bc3709c2c24f4ef0c059392b5c7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1911 zcmb_c&2Jk;6rZ)%yWVx|G)>#2aR>vUw5B9ZlR%+RMAQ=D)E^Oxn+hi?oAqG3S?^ji z>je9hqa$&R6mC8SsfQr(2js>z7bLR{r~>|gKm=#rti2%#aO;!i&HLKlyf^dS9!H}p z0$P13S7s7IzjDPVxhEWd2*Nhf5Jj3m1uZ}WT95`ck&0S~hBS#vnmmH2tVK0tIjpI$ zBFoCGr1g!UC*l)s`i9wUzqiU8DDtY7j9RZV!SX_HT<0TF2V}J zI=%sH8x;iDJSqfyDF&I&1m5a-Fe;%$AY1s(*6WU41r$R!%?8$sdd*?j zv2l&s4y1%>-LfiH=^rRIiSOIiFPmRG*dz|e>p}An18QWLnf3-Q+8Y*b*mVl^Chy(n zfCgcVuu1slh2HK2Rucg?RHIP3E3KNvhPm+#I_A&pew3_QPSQx`8C+X(krb(&q@-rE z zkN_+q{)v=Oh{B+ttQ%$o9tG{dG~Z1xqhwu5_`D^{#8?50#mW#@A%u2|C<18s3m z(?HwMsRi27+$Y%;SHKC$>q(+SIxR-FHx{V&%!B`w?IOn3T%}BaVf9M zReB>zimt@GbX>)2p~qELa-%0+PgT1Sp4{j69@iL0#XeE~+jbSNt5Z-59Rqy`7W*F9 zChDmDKSl>S!y{X%PBhjTd8K`=J+vzv48PGzJy!>xfp2tdEAvxy;PB;ZJLUG;cdzda zAB^7F$~=o+?3&6?*LTYYqqkd`=jsLi!PWTI0({Vkk8dqNR40DDwQwY%$l%Y>!NalF zb{@4KKAqov=O8}2mHrRY;rXam`ZrN&Ew{2e@9x}eSKE*GKHE$03;WmiuO6rmeh|~% z2quErY&H?0yf}J=v&)?EKBa@edXLbcm$-$unHyvdb%QYP-mOqRs2)`J(!%do?PA>| zAJA990rQGj2G~(h5CkYky|O8Fl*|9eE^bPHh^i3!eHaTFVJCQm_}(_U``-9pp6(s@ EH)cWFzyJUM From cdc316ded4ff38518d39bc262649d2188add9464 Mon Sep 17 00:00:00 2001 From: ppastorf Date: Sun, 15 Jun 2025 18:44:15 -0300 Subject: [PATCH 3/3] Remove unecessary files --- .../master-old/1_control_plane_components.sh | 724 ------------------ 1.6.0-rework/master-old/2_etcd.sh | 81 -- .../3_control_plane_configuration.sh | 24 - 1.6.0-rework/master-old/5_policies.sh | 99 --- 1.6.0-rework/worker-old/4_worker_nodes.sh | 277 ------- 5 files changed, 1205 deletions(-) delete mode 100644 1.6.0-rework/master-old/1_control_plane_components.sh delete mode 100644 1.6.0-rework/master-old/2_etcd.sh delete mode 100644 1.6.0-rework/master-old/3_control_plane_configuration.sh delete mode 100644 1.6.0-rework/master-old/5_policies.sh delete mode 100644 1.6.0-rework/worker-old/4_worker_nodes.sh diff --git a/1.6.0-rework/master-old/1_control_plane_components.sh b/1.6.0-rework/master-old/1_control_plane_components.sh deleted file mode 100644 index 7598914..0000000 --- a/1.6.0-rework/master-old/1_control_plane_components.sh +++ /dev/null @@ -1,724 +0,0 @@ -info "1 - Control Plane Components" - -info "1.1 - Master Node Configuration Files" - -check_1_1_1="1.1.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)" -if [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then - # kops - file="/etc/kubernetes/manifests/kube-apiserver.manifest" -else - file="/etc/kubernetes/manifests/kube-apiserver.yaml" -fi -if [ -f $file ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_1_1_1" - else - warn "$check_1_1_1" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_1" - info " * File not found" -fi - -check_1_1_2="1.1.2 - Ensure that the API server pod specification file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_2" - else - warn "$check_1_1_2" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_2" -fi - -check_1_1_3="1.1.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)" -if [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then - # kops - file="/etc/kubernetes/manifests/kube-controller-manager.manifest" -else - file="/etc/kubernetes/manifests/kube-controller-manager.yaml" -fi - -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_3" - else - warn "$check_1_1_3" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_3" - info " * File not found" -fi - -check_1_1_4="1.1.4 - Ensure that the controller manager pod specification file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_4" - else - warn "$check_1_1_4" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_4" -fi - -check_1_1_5="1.1.5 - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated)" -if [ -f "/etc/kubernetes/manifests/kube-scheduler.yaml" ]; then - file="/etc/kubernetes/manifests/kube-scheduler.yaml" -else - # kops - file="/etc/kubernetes/manifests/kube-scheduler.manifest" -fi - -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_5" - else - warn "$check_1_1_5" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_5" - info " * File not found" -fi - -check_1_1_6="1.1.6 - Ensure that the scheduler pod specification file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_6" - else - warn "$check_1_1_6" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_6" -fi - -check_1_1_7="1.1.7 - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated)" -if [ -f "/etc/kubernetes/manifests/etcd.yaml" ]; then - file="/etc/kubernetes/manifests/etcd.yaml" -else - # kops - file="/etc/kubernetes/manifests/etcd.manifest" -fi - -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_7" - else - warn "$check_1_1_7" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_7" - info " * File not found" -fi - -check_1_1_8="1.1.8 - Ensure that the etcd pod specification file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_8" - else - warn "$check_1_1_8" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_8" -fi - -#todo find CNI file location -check_1_1_9="1.1.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual)" -info "$check_1_1_9 - Audit: - Run the below command (based on the file location on your system) on the master node. For example, - stat -c %a - Verify that the permissions are 644 or more restrictive." - -check_1_1_10="1.1.10 - Ensure that the Container Network Interface file ownership is set to root:root (Manual)" -info "$check_1_1_10 - Audit: - Run the below command (based on the file location on your system) on the master node. For example, - stat -c %U:%G - Verify that the ownership is set to root:root." - -check_1_1_11="1.1.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" -file="" -if check_argument "$CIS_ETCD_CMD" '--data-dir' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir'|cut -d " " -f 1) -fi -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 700 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_11" - else - warn "$check_1_1_11" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_11" - info " * etcd data directory not found." -fi - -check_1_1_12="1.1.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %U:%G $file)" = "etcd:etcd" ]; then - pass "$check_1_1_12" - else - warn "$check_1_1_12" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_12" - info " * etcd data directory not found." -fi - -check_1_1_13="1.1.13 - Ensure that the admin.conf file permissions are set to 644 or more restrictive (Automated)" -file="/etc/kubernetes/admin.conf" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_13" - else - warn "$check_1_1_13" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_13" - info " * File not found" -fi - -check_1_1_14="1.1.14 - Ensure that the admin.conf file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_14" - else - warn "$check_1_1_14" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_14" -fi - -check_1_1_15="1.1.15 - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated)" -file="/etc/kubernetes/scheduler.conf" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_15" - else - warn "$check_1_1_15" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_15" - info " * File not found" -fi - -check_1_1_16="1.1.16 - Ensure that the scheduler.conf file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_16" - else - warn "$check_1_1_16" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_16" -fi - -check_1_1_17="1.1.17 - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated)" -file="/etc/kubernetes/controller-manager.conf" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_1_1_17" - else - warn "$check_1_1_17" - warn " * Wrong permissions for $file" - fi -else - info "$check_1_1_17" - info " * File not found" -fi - -check_1_1_18="1.1.18 - Ensure that the controller-manager.conf file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_1_1_18" - else - warn "$check_1_1_18" - warn " * Wrong ownership for $file" - fi -else - info "$check_1_1_18" -fi - -check_1_1_19="1.1.19 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated)" -file="/etc/kubernetes/pki/" -files=$(find $file) -pass=true -for f in ${files}; do - if [ "$(stat -c %u%g $f)" != 00 ]; then - pass=false; - break; - fi -done - -if [ "$pass" = "true" ]; then - pass "$check_1_1_19" -else - warn "$check_1_1_19" -fi - -check_1_1_20="1.1.20 - Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Manual)" -files=$(find $file -name "*.crt") -pass=true -for f in ${files}; do - if ! [ "$(stat -c %a $f)" -eq 644 -o "$(stat -c %a $f)" -eq 600 -o "$(stat -c %a $f)" -eq 400 ]; then - pass=false; - break; - fi -done - -if [ "$pass" = "true" ]; then - pass "$check_1_1_20" -else - warn "$check_1_1_20" -fi - -check_1_1_21="1.1.21 - Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" -files=$(find $file -name "*.key") -pass=true -for f in ${files}; do - if ! [ "$(stat -c %a $f)" -eq 600 ]; then - pass=false; - break; - fi -done - -if [ "$pass" = "true" ]; then - pass "$check_1_1_21" -else - warn "$check_1_1_21" -fi - -info "1.2 - API Server" - -check_1_2_1="1.2.1 - Ensure that the --anonymous-auth argument is set to false (Manual)" -if check_argument "$CIS_APISERVER_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then - pass "$check_1_2_1" -else - warn "$check_1_2_1" -fi - -check_1_2_2="1.2.2 - Ensure that the --basic-auth-file argument is not set (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--basic-auth-file' >/dev/null 2>&1; then - warn "$check_1_2_2" -else - pass "$check_1_2_2" -fi - -check_1_2_3="1.2.3 - Ensure that the --token-auth-file parameter is not set (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--token-auth-file' >/dev/null 2>&1; then - warn "$check_1_2_3" -else - pass "$check_1_2_3" -fi - -check_1_2_4="1.2.4 - Ensure that the --kubelet-https argument is set to true (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--kubelet-https=false' >/dev/null 2>&1; then - warn "$check_1_2_4" -else - pass "$check_1_2_4" -fi - -check_1_2_5="1.2.5 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-certificate' >/dev/null 2>&1; then - if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-key' >/dev/null 2>&1; then - certificate=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-certificate') - key=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-key') - pass "$check_1_2_5" - pass " * kubelet-client-certificate: $certificate" - pass " * kubelet-client-key: $key" - else - warn "$check_1_2_5" - fi -else - warn "$check_1_2_5" -fi - -check_1_2_6="1.2.6 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--kubelet-certificate-authority' >/dev/null 2>&1; then - pass "$check_1_2_6" -else - warn "$check_1_2_6" -fi - -check_1_2_7="1.2.7 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'AlwaysAllow' >/dev/null 2>&1; then - warn "$check_1_2_7" -else - pass "$check_1_2_7" -fi - -check_1_2_8="1.2.8 - Ensure that the --authorization-mode argument includes Node (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'Node' >/dev/null 2>&1; then - pass "$check_1_2_8" -else - warn "$check_1_2_8" -fi - -check_1_2_9="1.2.9 - Ensure that the --authorization-mode argument includes RBAC (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'RBAC' >/dev/null 2>&1; then - pass "$check_1_2_9" -else - warn "$check_1_2_9" -fi - -check_1_2_10="1.2.10 - Ensure that the admission control plugin EventRateLimit is set (Manual)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'EventRateLimit' >/dev/null 2>&1; then - pass "$check_1_2_10" -else - warn "$check_1_2_10" -fi - -check_1_2_11="1.2.11 - Ensure that the admission control plugin AlwaysAdmit is not set (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'AlwaysAdmit' >/dev/null 2>&1; then - warn "$check_1_2_11" -else - pass "$check_1_2_11" -fi - -check_1_2_12="1.2.12 - Ensure that the admission control plugin AlwaysPullImages is set (Manual)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'AlwaysPullImages' >/dev/null 2>&1; then - pass "$check_1_2_12" -else - warn "$check_1_2_12" -fi - -check_1_2_13="1.2.13 - Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'PodSecurityPolicy' >/dev/null 2>&1; then - pass "$check_1_2_13" -else - if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'SecurityContextDeny' >/dev/null 2>&1; then - pass "$check_1_2_13" - else - warn "$check_1_2_13" - fi -fi - -check_1_2_14="1.2.14 - Ensure that the admission control plugin ServiceAccount is set (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--disable-admission-plugins'| grep 'ServiceAccount' >/dev/null 2>&1; then - warn "$check_1_2_14" -else - pass "$check_1_2_14" -fi - -check_1_2_15="1.2.15 - Ensure that the admission control plugin NamespaceLifecycle is set (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--disable-admission-plugins'| grep 'NamespaceLifecycle' >/dev/null 2>&1; then - warn "$check_1_2_15" -else - pass "$check_1_2_15" -fi - -check_1_2_16="1.2.16 - Ensure that the admission control plugin PodSecurityPolicy is set (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'PodSecurityPolicy' >/dev/null 2>&1; then - pass "$check_1_2_16" -else - warn "$check_1_2_16" -fi - -check_1_2_17="1.2.17 - Ensure that the admission control plugin NodeRestriction is set (Automated)" -if get_argument_value "$CIS_APISERVER_CMD" '--enable-admission-plugins'| grep 'NodeRestriction' >/dev/null 2>&1; then - pass "$check_1_2_17" -else - warn "$check_1_2_17" -fi - -check_1_2_18="1.2.18 - Ensure that the --insecure-bind-address argument is not set (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--insecure-bind-address' >/dev/null 2>&1; then - warn "$check_1_2_18" -else - pass "$check_1_2_18" -fi - -check_1_2_19="1.2.19 - Ensure that the --insecure-port argument is set to 0 (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--insecure-port' >/dev/null 2>&1; then - port=$(get_argument_value "$CIS_APISERVER_CMD" '--insecure-port'|cut -d " " -f 1) - if [ "$port" = "0" ]; then - pass "$check_1_2_19" - else - warn "$check_1_2_19" - warn " * insecure-port: $port" - fi -else - warn "$check_1_2_19" -fi - -check_1_2_20="1.2.20 - Ensure that the --secure-port argument is not set to 0 (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--secure-port' >/dev/null 2>&1; then - port=$(get_argument_value "$CIS_APISERVER_CMD" '--secure-port'|cut -d " " -f 1) - if [ "$port" = "0" ]; then - warn "$check_1_2_20" - warn " * secure-port: $port" - else - pass "$check_1_2_20" - fi -else - pass "$check_1_2_20" -fi - -check_1_2_21="1.2.21 - Ensure that the --profiling argument is set to false (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--profiling=false' >/dev/null 2>&1; then - pass "$check_1_2_21" -else - warn "$check_1_2_21" -fi - -check_1_2_22="1.2.22 - Ensure that the --audit-log-path argument is set (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--audit-log-path' >/dev/null 2>&1; then - pass "$check_1_2_22" -else - warn "$check_1_2_22" -fi - -check_1_2_23="1.2.23 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxage' >/dev/null 2>&1; then - maxage=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxage'|cut -d " " -f 1) - if [ "$maxage" -ge "30" ]; then - pass "$check_1_2_23" - pass " * audit-log-maxage: $maxage" - else - warn "$check_1_2_23" - warn " * audit-log-maxage: $maxage" - fi -else - warn "$check_1_2_23" -fi - -check_1_2_24="1.2.24 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxbackup' >/dev/null 2>&1; then - maxbackup=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxbackup'|cut -d " " -f 1) - if [ "$maxbackup" -ge "10" ]; then - pass "$check_1_2_24" - pass " * audit-log-maxbackup: $maxbackup" - else - warn "$check_1_2_24" - warn " * audit-log-maxbackup: $maxbackup" - fi -else - warn "$check_1_2_24" -fi - -check_1_2_25="1.2.25 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxsize' >/dev/null 2>&1; then - maxsize=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxsize'|cut -d " " -f 1) - if [ "$maxsize" -ge "100" ]; then - pass "$check_1_2_25" - pass " * audit-log-maxsize: $maxsize" - else - warn "$check_1_2_25" - warn " * audit-log-maxsize: $maxsize" - fi -else - warn "$check_1_2_25" -fi - -check_1_2_26="1.2.26 - Ensure that the --request-timeout argument is set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--request-timeout' >/dev/null 2>&1; then - requestTimeout=$(get_argument_value "$CIS_APISERVER_CMD" '--request-timeout') - warn "$check_1_2_26" - warn " * request-timeout: $requestTimeout" -else - pass "$check_1_2_26" -fi - -check_1_2_27="1.2.27 - Ensure that the --service-account-lookup argument is set to true (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--service-account-lookup=false' >/dev/null 2>&1; then - warn "$check_1_2_27" -else - pass "$check_1_2_27" -fi - -check_1_2_28="1.2.28 - Ensure that the --service-account-key-file argument is set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--service-account-key-file' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_APISERVER_CMD" '--service-account-key-file') - pass "$check_1_2_28" - pass " * service-account-key-file: $file" -else - warn "$check_1_2_28" -fi - -check_1_2_29="1.2.29 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--etcd-certfile' >/dev/null 2>&1; then - if check_argument "$CIS_APISERVER_CMD" '--etcd-keyfile' >/dev/null 2>&1; then - certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-certfile') - keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-keyfile') - pass "$check_1_2_29" - pass " * etcd-certfile: $certfile" - pass " * etcd-keyfile: $keyfile" - else - warn "$check_1_2_29" - fi -else - warn "$check_1_2_29" -fi - -check_1_2_30="1.2.30 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--tls-cert-file' >/dev/null 2>&1; then - if check_argument "$CIS_APISERVER_CMD" '--tls-private-key-file' >/dev/null 2>&1; then - certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cert-file') - keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-private-key-file') - pass "$check_1_2_30" - pass " * tls-cert-file: $certfile" - pass " * tls-private-key-file: $keyfile" - else - warn "$check_1_2_30" - fi -else - warn "$check_1_2_30" -fi - -check_1_2_31="1.2.31 - Ensure that the --client-ca-file argument is set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then - cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') - pass "$check_1_2_31" - pass " * client-ca-file: $cafile" -else - warn "$check_1_2_31" -fi - -check_1_2_32="1.2.32 - Ensure that the --etcd-cafile argument is set as appropriate (Automated)" -if check_argument "$CIS_APISERVER_CMD" '--etcd-cafile' >/dev/null 2>&1; then - cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-cafile') - pass "$check_1_2_32" - pass " * etcd-cafile: $cafile" -else - warn "$check_1_2_32" -fi - -check_1_2_33="1.2.33 - Ensure that the --encryption-provider-config argument is set as appropriate (Manual)" -if get_argument_value "$CIS_APISERVER_CMD" '--encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then - pass "$check_1_2_33" -else - warn "$check_1_2_33" -fi - -check_1_2_34="1.2.34 - Ensure that encryption providers are appropriately configured (Manual)" -if check_argument "$CIS_APISERVER_CMD" '--encryption-provider-config' >/dev/null 2>&1; then - encryptionConfig=$(get_argument_value "$CIS_APISERVER_CMD" '--encryption-provider-config') - if [ -f "$encryptionConfig" ]; then - if [ $(grep -c "\- aescbc:\|\- kms:\|\- secretbox:" $encryptionConfig) -ne 0 ]; then - pass "$check_1_2_34" - else - warn "$check_1_2_34" - fi - else - warn "$check_1_2_34" - fi -else - warn "$check_1_2_34" -fi -#if get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then -# encryptionConfig=$(get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config') -# if sed ':a;N;$!ba;s/\n/ /g' $encryptionConfig |grep "providers:\s* - aescbc" >/dev/null 2>&1; then -# pass "$check_1_2_34" -# else -# warn "$check_1_2_34" -# fi -#else -# warn "$check_1_2_34" -#fi - -check_1_2_35="1.2.35 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)" -if check_argument "$CIS_APISERVER_CMD" '--tls-cipher-suites' >/dev/null 2>&1; then - ciphers=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cipher-suites'|cut -d " " -f 1) - found=$(echo $ciphers| sed -rn '/(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)/p') - if [ ! -z "$found" ]; then - pass "$check_1_2_35" - else - warn "$check_1_2_35" - fi -else - warn "$check_1_2_35" -fi - -info "1.3 - Controller Manager" - -check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Manual)" -# Filter out processes like "/bin/tee -a /var/log/kube-controller-manager.log" -# which exist on kops-managed clusters. -if check_argument "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold' >/dev/null 2>&1; then - threshold=$(get_argument_value "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold') - pass "$check_1_3_1" - pass " * terminated-pod-gc-threshold: $threshold" -else - warn "$check_1_3_1" -fi - -check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false (Automated)" -if check_argument "$CIS_MANAGER_CMD" '--profiling=false' >/dev/null 2>&1; then - pass "$check_1_3_2" -else - warn "$check_1_3_2" -fi - -check_1_3_3="1.3.3 - Ensure that the --use-service-account-credentials argument is set to true (Automated)" -if check_argument "$CIS_MANAGER_CMD" '--use-service-account-credentials=true' >/dev/null 2>&1; then - pass "$check_1_3_3" -else - warn "$check_1_3_3" -fi - -check_1_3_4="1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate (Automated)" -if check_argument "$CIS_MANAGER_CMD" '--service-account-private-key-file' >/dev/null 2>&1; then - keyfile=$(get_argument_value "$CIS_MANAGER_CMD" '--service-account-private-key-file') - pass "$check_1_3_4" - pass " * service-account-private-key-file: $keyfile" -else - warn "$check_1_3_4" -fi - -check_1_3_5="1.3.5 - Ensure that the --root-ca-file argument is set as appropriate (Automated)" -if check_argument "$CIS_MANAGER_CMD" '--root-ca-file' >/dev/null 2>&1; then - cafile=$(get_argument_value "$CIS_MANAGER_CMD" '--root-ca-file') - pass "$check_1_3_5" - pass " * root-ca-file: $cafile" -else - warn "$check_1_3_5" -fi - -check_1_3_6="1.3.6 - Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)" -if check_argument "$CIS_MANAGER_CMD" '--feature-gates' >/dev/null 2>&1; then - serverCert=$(get_argument_value "$CIS_MANAGER_CMD" '--feature-gates') - found=$(echo $serverCert| grep 'RotateKubeletServerCertificate=true') - if [ ! -z $found ]; then - pass "$check_1_3_6" - else - warn "$check_1_3_6" - fi -else - warn "$check_1_3_6" -fi - -check_1_3_7="1.3.7 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" -if get_argument_value "$CIS_MANAGER_CMD" '--bind-address'| grep '127.0.0.1' >/dev/null 2>&1; then - pass "$check_1_3_7" -else - warn "$check_1_3_7" -fi - -info "1.4 - Scheduler" - -check_1_4_1="1.4.1 - Ensure that the --profiling argument is set to false (Automated)" -if check_argument "$CIS_SCHEDULER_CMD" '--profiling=false' >/dev/null 2>&1; then - pass "$check_1_4_1" -else - warn "$check_1_4_1" -fi - -check_1_4_2="1.4.2 - Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" -if get_argument_value "$CIS_SCHEDULER_CMD" '--bind-address'| grep '127.0.0.1' >/dev/null 2>&1; then - pass "$check_1_4_2" -else - warn "$check_1_4_2" -fi diff --git a/1.6.0-rework/master-old/2_etcd.sh b/1.6.0-rework/master-old/2_etcd.sh deleted file mode 100644 index 5bd6c30..0000000 --- a/1.6.0-rework/master-old/2_etcd.sh +++ /dev/null @@ -1,81 +0,0 @@ -info "2 - etcd" - -check_2_1="2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" -if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then - if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then - cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') - kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') - pass "$check_2_1" - pass " * cert-file: $cfile" - pass " * key-file: $kfile" - else - warn "$check_2_1" - fi -else - warn "$check_2_1" -fi - -check_2_2="2.2 - Ensure that the --client-cert-auth argument is set to true (Automated)" -if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then - pass "$check_2_2" -else - warn "$check_2_2" -fi - -check_2_3="2.3 - Ensure that the --auto-tls argument is not set to true (Automated)" -if check_argument "$CIS_ETCD_CMD" '--auto-tls=true' >/dev/null 2>&1; then - warn "$check_2_3" -else - pass "$check_2_3" -fi - -check_2_4="2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" -if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then - if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then - cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') - kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') - pass "$check_2_4" - pass " * peer-cert-file: $cfile" - pass " * peer-key-file: $kfile" - else - warn "$check_2_4" - fi -else - warn "$check_2_4" -fi - -check_2_5="2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Automated)" -if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth=true' >/dev/null 2>&1; then - pass "$check_2_5" -else - warn "$check_2_5" -fi - -check_2_6="2.6 - Ensure that the --peer-auto-tls argument is not set to true (Automated)" -if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then - warn "$check_2_6" -else - pass "$check_2_6" -fi - -#todo apiserver vs kube-apiserver -check_2_7="2.7 - Ensure that a unique Certificate Authority is used for etcd (Manual)" -if check_argument "$CIS_ETCD_CMD" '--trusted-ca-file' >/dev/null 2>&1; then - if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then - tfile=$(get_argument_value "$CIS_ETCD_CMD" '--trusted-ca-file') - cfile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') - if [ "$tfile" = "$cfile" ]; then - pass "$check_2_7" - pass " * trusted-ca-file: $tfile" - pass " * client-ca-file: $cfile" - else - warn "$check_2_7" - fi - else - warn "$check_2_7" - warn " * client-ca-file doesn't exist" - fi -else - warn "$check_2_7" - warn " * trusted-ca-file doesn't exist" -fi diff --git a/1.6.0-rework/master-old/3_control_plane_configuration.sh b/1.6.0-rework/master-old/3_control_plane_configuration.sh deleted file mode 100644 index 9e15658..0000000 --- a/1.6.0-rework/master-old/3_control_plane_configuration.sh +++ /dev/null @@ -1,24 +0,0 @@ -info "3 - Control Plane Configuration" - -info "3.1 - Authentication and Authorization" - -check_3_1_1="3.1.1 - Client certificate authentication should not be used for users (Manual)" -info "$check_3_1_1" -info " * Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication." - -info "3.2 - Logging" - -check_3_2_1="3.2.1 - Ensure that a minimal audit policy is created (Manual)" -if check_argument "$CIS_APISERVER_CMD" '--audit-policy-file' >/dev/null 2>&1; then - auditPolicyFile=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-policy-file') - pass "$check_3_2_1" - pass " * audit-policy-file: $auditPolicyFile" -else - warn "$check_3_2_1" -fi - -check_3_2_2="3.2.2 - Ensure that the audit policy covers key security concerns (Manual)" -info "$check_3_2_2" -info " * Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data." -info " * Modification of pod and deployment objects." -info " * Use of pods/exec, pods/portforward, pods/proxy and services/proxy." diff --git a/1.6.0-rework/master-old/5_policies.sh b/1.6.0-rework/master-old/5_policies.sh deleted file mode 100644 index 9b2afba..0000000 --- a/1.6.0-rework/master-old/5_policies.sh +++ /dev/null @@ -1,99 +0,0 @@ -info "5 - Policies" -info "5.1 - RBAC and Service Accounts" - -# Make the loop separator be a new-line in POSIX compliant fashion -set -f; IFS=$' -' - -check_5_1_1="5.1.1 - Ensure that the cluster-admin role is only used where required (Manual)" -cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) -info "$check_5_1_1" -for admin in $cluster_admins; do - info " * $admin" -done - -check_5_1_2="5.1.2 - Minimize access to secrets (Manual)" -policies=$(kubectl get psp) -info "$check_5_1_2" -for policy in $policies; do - info " * $policy" -done - -check_5_1_3="5.1.3 - Create administrative boundaries between resources using namespaces (Manual)" -namespaces=$(kubectl get namespaces) -info "$check_5_1_3" -for namespace in $namespaces; do - info " * $namespace" -done - -check_5_1_4="5.1.4 - Create network segmentation using Network Policies (Manual)" -policies=$(kubectl get pods --namespace=kube-system) -info "$check_5_1_4" -for policy in $policies; do - info " * $policy" -done - -check_5_1_5="5.1.5 - Avoid using Kubernetes Secrets (Manual)" -secrets=$(kubectl get secrets) -info "$check_5_1_5" -for secret in $secrets; do - info " * $secret" -done - -#TODO -check_5_1_6="5.1.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" -info "$check_5_1_6" -check_5_1_7="5.1.7 - Apply Security Context to Your Pods and Containers (Manual)" -info "$check_5_1_7" -check_5_1_8="5.1.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" -info "$check_5_1_8" -check_5_1_9="5.1.9 - Place compensating controls in the form of PSP and RBAC for privileged containers usage (Manual)" -info "$check_5_1_9" - -info "5.2 - Pod Security Policies" - -check_5_2_1="5.2.1 - Minimize the admission of privileged containers (Manual)" -info "$check_5_2_1" -check_5_2_2="5.2.2 - Minimize the admission of containers wishing to share the host process ID namespace (Manual)" -info "$check_5_2_2" -check_5_2_3="5.2.3 - Minimize the admission of containers wishing to share the host IPC namespace (Manual)" -info "$check_5_2_3" -check_5_2_4="5.2.4 - Minimize the admission of containers wishing to share the host network namespace (Manual)" -info "$check_5_2_4" -check_5_2_5="5.2.5 - Minimize the admission of containers with allowPrivilegeEscalation (Manual)" -info "$check_5_2_5" -check_5_2_6="5.2.6 - Minimize the admission of root containers (Manual)" -info "$check_5_2_6" -check_5_2_7="5.2.7 - Minimize the admission of containers with the NET_RAW capability (Manual)" -info "$check_5_2_7" -check_5_2_8="5.2.8 - Minimize the admission of containers with added capabilities (Manual)" -info "$check_5_2_8" -check_5_2_9="5.2.9 - Minimize the admission of containers with capabilities assigned (Manual)" -info "$check_5_2_9" - -info "5.3 - Network Policies and CNI" -check_5_3_1="5.3.1 - Ensure that the CNI in use supports Network Policies (Manual)" -info "$check_5_3_1" -check_5_3_2="5.3.2 - Ensure that all Namespaces have Network Policies defined (Manual)" -info "$check_5_3_2" - -info "5.4 - Secrets Management" -check_5_4_1="5.4.1 - Prefer using secrets as files over secrets as environment variables (Manual)" -info "$check_5_4_1" -check_5_4_2="5.4.2 - Consider external secret storage (Manual)" -info "$check_5_4_2" - -info "5.5 - Extensible Admission Control" -check_5_5_1="5.5.1 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" -info "$check_5_5_1" - -info "5.7 - General Policies" -check_5_7_1="5.7.1 - Create administrative boundaries between resources using namespaces (Manual)" -info "$check_5_7_1" -#todo remedition -check_5_7_2="5.7.2 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" -info "$check_5_7_2" -check_5_7_3="5.7.3 - Apply Security Context to Your Pods and Containers (Manual)" -info "$check_5_6_3" -check_5_7_4="5.7.4 - The default namespace should not be used (Manual)" -info "$check_5_7_4" diff --git a/1.6.0-rework/worker-old/4_worker_nodes.sh b/1.6.0-rework/worker-old/4_worker_nodes.sh deleted file mode 100644 index c2ca967..0000000 --- a/1.6.0-rework/worker-old/4_worker_nodes.sh +++ /dev/null @@ -1,277 +0,0 @@ -info "4.1 - Worker Node Configuration Files" - -check_4_1_1="4.1.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" -file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_4_1_1" - else - warn "$check_4_1_1" - warn " * Wrong permissions for $file" - fi -else - info "$check_4_1_1" - info " * The kubelet service file not found" -fi - -check_4_1_2="4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Automated)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_4_1_2" - else - warn "$check_4_1_2" - warn " * Wrong ownership for $file" - fi -else - info "$check_4_1_2" -fi - -check_4_1_3="4.1.3 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Manual)" -file="" -if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) -fi - -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_4_1_3" - else - warn "$check_4_1_3" - warn " * Wrong permissions for $file" - fi -else - info "$check_4_1_3" - info " * kubeconfig file not found" -fi - -check_4_1_4="4.1.4 - Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_4_1_4" - else - warn "$check_4_1_4" - warn " * Wrong ownership for $file" - fi -else - info "$check_4_1_4" - info " * kubeconfig file not found" -fi - -check_4_1_5="4.1.5 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Automated)" -if [ -f "/var/lib/kube-proxy/kubeconfig" ]; then - # kops - file="/var/lib/kube-proxy/kubeconfig" -else - file="/etc/kubernetes/proxy" -fi - -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_4_1_5" - else - warn "$check_4_1_5" - warn " * Wrong permissions for $file" - fi -else - info "$check_4_1_5" - info " * File not found" -fi - -check_4_1_6="4.1.6 - Ensure that the kubelet.conf file ownership is set to root:root (Manual)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_4_1_6" - else - warn "$check_4_1_6" - warn " * Wrong ownership for $file" - fi -else - info "$check_4_1_6" -fi - -check_4_1_7="4.1.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_4_1_7" - pass " * client-ca-file: $file" - else - warn "$check_4_1_7" - warn " * Wrong permissions for $file" - fi -else - info "$check_4_1_7" - info " * --client-ca-file not set" -fi - -check_4_1_8="4.1.8 - Ensure that the client certificate authorities file ownership is set to root:root (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_4_1_8" - pass " * client-ca-file: $file" - else - warn "$check_4_1_8" - warn " * Wrong ownership for $file" - fi -else - info "$check_4_1_8" - info " * --client-ca-file not set" -fi - -check_4_1_9="4.1.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then - pass "$check_4_1_9" - pass " * kubelet configuration file: $file" - else - warn "$check_4_1_9" - warn " * Wrong permissions for $file" - fi -else - info "$check_4_1_9" - info " * kubelet configuration file not set" -fi - -check_4_1_10="4.1.10 - Ensure that the kubelet configuration file ownership is set to root:root (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then - file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_4_1_10" - pass " * kubelet configuration file: $file" - else - warn "$check_4_1_10" - warn " * Wrong ownership for $file" - fi -else - info "$check_4_1_10" - info " * kubelet configuration file not set" -fi - -info "4.2 - Kubelet" - -#todo review all audits -check_4_2_1="4.2.1 - Ensure that the anonymous-auth argument is set to false (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then - pass "$check_4_2_1" -else - warn "$check_4_2_1" -fi - -check_4_2_2="4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then - warn "$check_4_2_2" -else - pass "$check_4_2_2" -fi - -check_4_2_3="4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then - cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') - pass "$check_4_2_3" - pass " * client-ca-file: $cafile" -else - warn "$check_4_2_3" -fi - -check_4_2_4="4.2.4 - Ensure that the --read-only-port argument is set to 0 (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then - port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) - if [ $port = "0" ]; then - pass "$check_4_2_4" - else - warn "$check_4_2_4" - warn " * read-only-port: $port" - fi -else - warn "$check_4_2_4" -fi - -check_4_2_5="4.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then - timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') - warn "$check_4_2_5" - warn " * streaming-connection-idle-timeout: $timeout" -else - pass "$check_4_2_5" -fi - -check_4_2_6="4.2.6 - Ensure that the --protect-kernel-defaults argument is set to true (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then - pass "$check_4_2_6" -else - warn "$check_4_2_6" -fi - -check_4_2_7="4.2.7 - Ensure that the --make-iptables-util-chains argument is set to true (Automated)" -if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then - pass "$check_4_2_7" -else - warn "$check_4_2_7" -fi - -check_4_2_8="4.2.8 - Ensure that the --hostname-override argument is not set (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then - warn "$check_4_2_8" -else - pass "$check_4_2_8" -fi - -check_4_2_9="4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--event-qps=0' >/dev/null 2>&1; then - pass "$check_4_2_9" -else - warn "$check_4_2_9" -fi - -check_4_2_10="4.2.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then - if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then - cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') - kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') - pass "$check_4_2_10" - pass " * tls-cert-file: $cfile" - pass " * tls-private-key-file: $kfile" - else - warn "$check_4_2_10" - fi -else - warn "$check_4_2_10" -fi - -check_4_2_11="4.2.11 - Ensure that the --rotate-certificates argument is not set to false (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then - event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) - if [ $event = "0" ]; then - pass "$check_4_2_11" - else - warn "$check_4_2_11" - warn " * event-qps: $event" - fi -else - warn "$check_4_2_11" -fi - -check_4_2_12="4.2.12 - Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" -file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" -found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file) -if [ -z "$found" ]; then - warn "$check_4_2_12" -else - pass "$check_4_2_12" -fi - -check_4_2_13="4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" -if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then - port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) - if [ $port = "0" ]; then - pass "$check_4_2_13" - else - warn "$check_4_2_13" - warn " * cadvisor-port: $port" - fi -else - warn "$check_4_2_13" -fi -