Skip to content

Commit

Permalink
feat(cis-1.24-microk8s): Add support to CIS-1.24 for microk8s distro (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
bschimke95 authored Nov 20, 2023
1 parent 63055a7 commit fac90f7
Show file tree
Hide file tree
Showing 9 changed files with 1,875 additions and 18 deletions.
2 changes: 2 additions & 0 deletions cfg/cis-1.24-microk8s/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
## Version-specific settings that override the values in cfg/config.yaml
46 changes: 46 additions & 0 deletions cfg/cis-1.24-microk8s/controlplane.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
controls:
version: "cis-1.24"
id: 3
text: "Control Plane Configuration"
type: "controlplane"
groups:
- id: 3.1
text: "Authentication and Authorization"
checks:
- id: 3.1.1
text: "Client certificate authentication should not be used for users (Manual)"
type: "manual"
remediation: |
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates.
scored: false

- id: 3.2
text: "Logging"
checks:
- id: 3.2.1
text: "Ensure that a minimal audit policy is created (Manual)"
audit: "cat $apiserverconf | grep -v grep"
tests:
test_items:
- flag: "--audit-policy-file"
set: true
remediation: |
Create an audit policy file for your cluster.
scored: false

- id: 3.2.2
text: "Ensure that the audit policy covers key security concerns (Manual)"
type: "manual"
remediation: |
Review the audit policy provided for the cluster and ensure that it covers
at least the following areas,
- Access to Secrets managed by the cluster. Care should be taken to only
log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in
order to avoid risk of logging sensitive data.
- Modification of Pod and Deployment objects.
- Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`.
For most requests, minimally logging at the Metadata level is recommended
(the most basic level of logging).
scored: false
121 changes: 121 additions & 0 deletions cfg/cis-1.24-microk8s/etcd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
---
controls:
version: "cis-1.24"
id: 2
text: "Etcd Node Configuration"
type: "etcd"
groups:
- id: 2
text: "Etcd Node Configuration"
checks:
- id: 2.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: and
test_items:
- flag: "--cert-file"
env: "ETCD_CERT_FILE"
- flag: "--key-file"
env: "ETCD_KEY_FILE"
remediation: |
Not applicable. MicroK8s used dqlite and the communication to this service is done through a
local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible
to users with root permissions.
scored: false

- id: 2.2
text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--client-cert-auth"
env: "ETCD_CLIENT_CERT_AUTH"
compare:
op: eq
value: true
remediation: |
Not applicable. MicroK8s used dqlite and the communication to this service is done through a
local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible
to users with root permissions.
scored: false

- id: 2.3
text: "Ensure that the --auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
set: false
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Not applicable. MicroK8s used dqlite and the communication to this service is done through a
local socket (/var/snap/microk8s/current/var/kubernetes/backend/kine.sock:12379) accessible
to users with root permissions.
scored: false

- id: 2.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)"
audit: "if test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.crt && test -e /var/snap/microk8s/current/var/kubernetes/backend/cluster.key; then echo 'certs-found'; fi"
tests:
test_items:
- flag: "certs-found"
remediation: |
The certificate pair for dqlite and tls peer communication is
/var/snap/microk8s/current/var/kubernetes/backend/cluster.crt and
/var/snap/microk8s/current/var/kubernetes/backend/cluster.key.
scored: true

- id: 2.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
audit: "/bin/cat $etcdconf | /bin/grep enable-tls || true"
tests:
bin_op: or
test_items:
- flag: "--enable-tls"
compare:
op: eq
value: true
- flag: "--enable-tls"
set: false
remediation: |
MicroK8s used dqlite and tls peer communication uses is TLS if the --enable-tls is set in
/var/snap/microk8s/current/args/k8s-dqlite, set to true by default.
scored: true

- id: 2.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
bin_op: or
test_items:
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
set: false
- flag: "--peer-auto-tls"
env: "ETCD_PEER_AUTO_TLS"
compare:
op: eq
value: false
remediation: |
Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates
created upon the snap creation.
scored: false

- id: 2.7
text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
tests:
test_items:
- flag: "--trusted-ca-file"
env: "ETCD_TRUSTED_CA_FILE"
remediation: |
Not applicable. MicroK8s used dqlite and tls peer communication uses the certificates
created upon the snap creation.
scored: false
Loading

0 comments on commit fac90f7

Please sign in to comment.