Updating the rh-1.0 OCP checks

1. Added audit commands wherever required. 2. Updated the scripts with type to manual to match the title. 3. Updated the scripts with test_items wherever required. 4. Fixed a typo.
aquasecurity · Jan 19, 2024 · f3d53be · f3d53be
1 parent 221ff4f
commit f3d53be
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 7 deletions.
diff --git a/cfg/rh-1.0/etcd.yaml b/cfg/rh-1.0/etcd.yaml
@@ -67,7 +67,7 @@ groups:
                 op: eq
                 value: "1"
         remediation: |
-          This setting is managed by the cluster etcd operator. No remediation required.e
+          This setting is managed by the cluster etcd operator. No remediation required.
         scored: false
 
       - id: 2.4

diff --git a/cfg/rh-1.0/master.yaml b/cfg/rh-1.0/master.yaml
@@ -864,7 +864,6 @@ groups:
         remediation: |
           Follow the documentation for log forwarding. Forwarding logs to third party systems
           https://docs.openshift.com/container-platform/4.5/logging/cluster-logging-external.html
-
         scored: false
 
       - id: 1.2.24
@@ -1070,6 +1069,12 @@ groups:
       - id: 1.2.35
         text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Manual)"
         type: manual
+        audit: |
+          # verify cipher suites
+          oc get cm -n openshift-authentication v4-0-config-system-cliconfig -o jsonpath='{.data.v4\-0\-config\-system\-cliconfig}' | jq .servingInfo
+          oc get kubeapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
+          oc get openshiftapiservers.operator.openshift.io cluster -o json |jq.spec.observedConfig.servingInfo
+          oc describe --namespace=openshift-ingress-operator ingresscontroller/default
         remediation: |
           Verify that the tlsSecurityProfile is set to the value you chose.
           Note: The HAProxy Ingress controller image does not support TLS 1.3

diff --git a/cfg/rh-1.0/node.yaml b/cfg/rh-1.0/node.yaml
@@ -222,15 +222,12 @@ groups:
         audit: |
           for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}')
           do
-            oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf
+            oc debug node/${node} -- chroot /host grep clientCAFile /etc/kubernetes/kubelet.conf | awk -F': ' '{ print "clientCAFile=" $2 }'
           done 2> /dev/null
         use_multiple_values: true
         tests:
           test_items:
-            - flag: "clientCAFile"
-              compare:
-                op: eq
-                value: "/etc/kubernetes/kubelet-ca.crt"
+            - flag: clientCAFile="/etc/kubernetes/kubelet-ca.crt"
         remediation: |
           None required. Changing the clientCAFile value is unsupported.
         scored: true
@@ -278,6 +275,10 @@ groups:
               compare:
                 op: noteq
                 value: 0
+            - flag: streamingConnectionIdleTimeout
+              compare:
+                op: noteq
+                value: 0s
             - flag: "exit_code"
               compare:
                 op: eq

diff --git a/cfg/rh-1.0/policies.yaml b/cfg/rh-1.0/policies.yaml
@@ -11,6 +11,12 @@ groups:
       - id: 5.1.1
         text: "Ensure that the cluster-admin role is only used where required (Manual)"
         type: "manual"
+        audit: |
+          #To get a list of users and service accounts with the cluster-admin role
+          oc get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind |
+          grep cluster-admin
+          #To verity that kbueadmin is removed, no results should be returned
+          oc get secrets kubeadmin -n kube-system
         remediation: |
           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
           if they need this role or if they could use a role with fewer privileges.
@@ -29,6 +35,15 @@ groups:
       - id: 5.1.3
         text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
         type: "manual"
+        audit: |
+          #needs verification
+          oc get roles --all-namespaces -o yaml
+          for i in $(oc get roles -A -o jsonpath='{.items[*].metadata.name}'); do oc
+          describe clusterrole ${i}; done
+          #Retrieve the cluster	roles defined in the cluster and review	for	wildcards
+          oc get clusterroles -o yaml
+          for i in $(oc get clusterroles -o jsonpath='{.items[*].metadata.name}'); do
+          oc describe clusterrole ${i}; done
         remediation: |
           Where possible replace any use of wildcards in clusterroles and roles with specific
           objects or actions.
@@ -213,6 +228,9 @@ groups:
       - id: 5.3.2
         text: "Ensure that all Namespaces have Network Policies defined (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command and review the NetworkPolicy objects created in the cluster.
+          oc -n all get networkpolicy
         remediation: |
           Follow the documentation and create NetworkPolicy objects as you need them.
         scored: false
@@ -223,6 +241,10 @@ groups:
       - id: 5.4.1
         text: "Prefer using secrets as files over secrets as environment variables (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command to find references to objects which use environment variables defined from secrets.
+          oc get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind}
+          {.metadata.name} {"\n"}{end}' -A
         remediation: |
           If possible, rewrite application code to read secrets from mounted secret files, rather than
           from environment variables.
@@ -252,6 +274,10 @@ groups:
       - id: 5.7.1
         text: "Create administrative boundaries between resources using namespaces (Manual)"
         type: "manual"
+        audit: |
+          #Run the following command and review the namespaces created in the cluster.
+          oc get namespaces
+          #Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
         remediation: |
           Follow the documentation and create namespaces for objects in your deployment as you need
           them.
@@ -277,6 +303,11 @@ groups:
       - id: 5.7.4
         text: "The default namespace should not be used (Manual)"
         type: "manual"
+        audit: |
+          #Run this command to list objects in default namespace
+          oc project default
+          oc get all
+          #The only entries there should be system managed resources such as the kubernetes and openshift service
         remediation: |
           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
           resources and that all new resources are created in a specific namespace.