├── 1.0.0 ├── federation │ ├── check_federation.sh │ ├── federation_1_api_server.sh │ └── federation_2_controller_manager.sh ├── master │ ├── master_1_api_server.sh │ ├── master_2_scheduler.sh │ ├── master_3_contoller_manager.sh │ ├── master_4_configuration_files.sh │ ├── master_5_etcd.sh │ └── master_6_general_security_primitives.sh └── worker │ ├── worker_1_kubelet.sh │ └── worker_2_configure_files.sh ├── 1.2.0 ├── federation.sh ├── federation │ ├── check_federation.sh │ ├── federation_1_api_server.sh │ └── federation_2_controller_manager.sh ├── master.sh ├── master │ ├── master_1_api_server.sh │ ├── master_2_scheduler.sh │ ├── master_3_contoller_manager.sh │ ├── master_4_configuration_files.sh │ ├── master_5_etcd.sh │ └── master_6_general_security_primitives.sh ├── worker.sh └── worker │ ├── worker_1_kubelet.sh │ └── worker_2_configure_files.sh ├── 1.4.1 ├── master │ ├── master_1_api_server.sh │ ├── master_2_scheduler.sh │ ├── master_3_contoller_manager.sh │ ├── master_4_configuration_files.sh │ ├── master_5_etcd.sh │ ├── master_6_general_security_primitives.sh │ └── master_7_podSecurityPolicies.sh └── worker │ ├── worker_1_kubelet.sh │ └── worker_2_configure_files.sh ├── 1.5.1 ├── master │ ├── 1_control_plane_components.sh │ ├── 2_etcd.sh │ ├── 3_control_plane_configuration.sh │ └── 5_policies.sh └── worker │ └── 4_worker_nodes.sh ├── 1.6.0 ├── master │ ├── 1_control_plane_components.sh │ ├── 2_etcd.sh │ ├── 3_control_plane_configuration.sh │ └── 5_policies.sh └── worker │ └── 4_worker_nodes.sh ├── LICENSE ├── NeuVector-Logo.png ├── README.md ├── bench.png ├── federation.sh ├── gke ├── master │ ├── 1_control_plane_components.sh │ ├── 2_etcd.sh │ ├── 3_control_plane_configuration.sh │ ├── 5_policies.sh │ └── 6_managed_services.sh └── worker │ └── 4_worker_nodes.sh ├── helper.sh ├── helper1_4_1.sh ├── helper1_5_1.sh ├── helper1_6_0.sh ├── helper_gke.sh ├── master.sh └── worker.sh /1.0.0/federation/check_federation.sh: -------------------------------------------------------------------------------- 1 | 2 | if ps -ef | grep federation-apiserver 2>/dev/null | grep -v "grep" >/dev/null 2>&1; then 3 | info "Kubernetes Federated Deployments" 4 | else 5 | info "This node is not a Kubernetes Federated node" 6 | exit 2 7 | fi 8 | 9 | -------------------------------------------------------------------------------- /1.0.0/federation/federation_1_api_server.sh: -------------------------------------------------------------------------------- 1 | info "3.1 - Federation API Server" 2 | 3 | check_3_1_1="3.1.1 Ensure that the --anonymous-auth argument is set to false" 4 | if check_argument 'federation-apiserver' '--anonymous-auth=false' >/dev/null 2>&1; then 5 | pass "$check_3_1_1" 6 | else 7 | warn "$check_3_1_1" 8 | fi 9 | 10 | check_3_1_=2"3.1.2 Ensure that the --basic-auth-file argument is not set" 11 | if check_argument 'federation-apiserver' '--basic-auth-file' >/dev/null 2>&1; then 12 | warn "$check_3_1_2" 13 | else 14 | pass "$check_3_1_2" 15 | fi 16 | 17 | check_3_1_3="3.1.3 Ensure that the --insecure-allow-any-token argument is not set" 18 | if check_argument 'federation-apiserver' '--insecure-allow-any-token' >/dev/null 2>&1; then 19 | warn "$check_3_1_3" 20 | else 21 | pass "$check_3_1_3" 22 | fi 23 | 24 | check_3_1_4="3.1.4 Ensure that the --insecure-bind-address argument is not set" 25 | if check_argument 'federation-apiserver' '--insecure-bind-address' >/dev/null 2>&1; then 26 | warn "$check_3_1_4" 27 | else 28 | pass "$check_3_1_4" 29 | fi 30 | 31 | check_3_1_5="3.1.5 Ensure that the --insecure-port argument is set to 0" 32 | if check_argument 'federation-apiserver' '--insecure-port' >/dev/null 2>&1; then 33 | port=$(get_argument_value 'federation-apiserver' '--insecure-port'|cut -d " " -f 1) 34 | if [ "$port" = "0" ]; then 35 | pass "$check_3_1_5" 36 | else 37 | warn "$check_3_1_5" 38 | warn " * insecure-port: $port" 39 | fi 40 | else 41 | warn "$check_3_1_5" 42 | fi 43 | 44 | check_3_1_6="3.1.6 Ensure that the --secure-port argument is not set to 0" 45 | if check_argument 'federation-apiserver' '--secure-port' >/dev/null 2>&1; then 46 | port=$(get_argument_value 'federation-apiserver' '--secure-port'|cut -d " " -f 1) 47 | if [ "$port" = "0" ]; then 48 | warn "$check_3_1_6" 49 | warn " * secure-port: $port" 50 | else 51 | pass "$check_3_1_6" 52 | fi 53 | else 54 | pass "$check_3_1_6" 55 | fi 56 | 57 | check_3_1_7="3.1.7 Ensure that the --profiling argument is set to false" 58 | if check_argument 'federation-apiserver' '--profiling=false' >/dev/null 2>&1; then 59 | pass "$check_3_1_7" 60 | else 61 | warn "$check_3_1_7" 62 | fi 63 | 64 | check_3_1_8="3.1.8 Ensure that the admission control policy is not set to AlwaysAdmit" 65 | if get_argument_value 'federation-apiserver' '--admission-control'| grep 'AlwaysAdmit' >/dev/null 2>&1; then 66 | warn "$check_3_1_8" 67 | else 68 | pass "$check_3_1_8" 69 | fi 70 | 71 | check_3_1_9="3.1.9 Ensure that the admission control policy is set to NamespaceLifecycle" 72 | if get_argument_value 'federation-apiserver' '--admission-control'| grep 'NamespaceLifecycle' >/dev/null 2>&1; then 73 | pass "$check_3_1_9" 74 | else 75 | warn "$check_3_1_9" 76 | fi 77 | 78 | check_3_1_10="3.1.10 Ensure that the --audit-log-path argument is set as appropriate" 79 | if check_argument 'federation-apiserver' '--audit-log-path' >/dev/null 2>&1; then 80 | v=$(get_argument_value 'federation-apiserver' '--audit-log-path') 81 | pass "$check_3_1_10" 82 | pass " * audit-log-path: $v" 83 | else 84 | warn "$check_3_1_10" 85 | fi 86 | 87 | check_3_1_11="3.1.11 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate" 88 | if check_argument 'federation-apiserver' '--audit-log-maxage' >/dev/null 2>&1; then 89 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxage'|cut -d " " -f 1) 90 | if [ "$v" = "30" ]; then 91 | pass "$check_3_1_11" 92 | pass " * audit-log-maxage: $v" 93 | else 94 | warn "$check_3_1_11" 95 | warn " * audit-log-maxage: $v" 96 | fi 97 | else 98 | warn "$check_3_1_11" 99 | fi 100 | 101 | check_3_1_12="3.1.12 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate" 102 | if check_argument 'federation-apiserver' '--audit-log-maxbackup' >/dev/null 2>&1; then 103 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxbackup' |cut -d " " -f 1) 104 | if [ "$v" = "10" ]; then 105 | pass "$check_3_1_12" 106 | pass " * audit-log-maxbackup : $v" 107 | else 108 | warn "$check_3_1_12" 109 | warn " * audit-log-maxbackup : $v" 110 | fi 111 | else 112 | warn "$check_3_1_12" 113 | fi 114 | 115 | check_3_1_13="3.1.13 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate" 116 | if check_argument 'federation-apiserver' '--audit-log-maxsize' >/dev/null 2>&1; then 117 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxsize' |cut -d " " -f 1) 118 | if [ "$v" = "100" ]; then 119 | pass "$check_3_1_13" 120 | pass " * audit-log-maxsize : $v" 121 | else 122 | warn "$check_3_1_13" 123 | warn " * audit-log-maxsize : $v" 124 | fi 125 | else 126 | warn "$check_3_1_13" 127 | fi 128 | 129 | check_3_1_14="3.1.14 Ensure that the --authorization-mode argument is not set to AlwaysAllow" 130 | if get_argument_value 'federation-apiserver' '--authorization-mode'| grep 'AlwaysAllow' >/dev/null 2>&1; then 131 | warn "$check_3_1_14" 132 | else 133 | pass "$check_3_1_14" 134 | fi 135 | 136 | check_3_1_15="3.1.15 Ensure that the --token-auth-file parameter is not set" 137 | if check_argument 'federation-apiserver' '--token-auth-file' >/dev/null 2>&1; then 138 | warn "$check_3_1_15" 139 | else 140 | pass "$check_3_1_15" 141 | fi 142 | 143 | check_3_1_16="3.1.16 Ensure that the --service-account-lookup argument is set to true" 144 | if check_argument 'federation-apiserver' '--service-account-lookup=true' >/dev/null 2>&1; then 145 | pass "$check_3_1_16" 146 | else 147 | warn "$check_3_1_16" 148 | fi 149 | 150 | check_3_1_17="3.1.17 Ensure that the --service-account-key-file argument is set as appropriate" 151 | if check_argument 'federation-apiserver' '--service-account-key-file' >/dev/null 2>&1; then 152 | v=$(get_argument_value 'federation-apiserver' '--service-account-key-file') 153 | pass "$check_3_1_17" 154 | pass " * service-account-key-file: $v" 155 | else 156 | warn "$check_3_1_17" 157 | fi 158 | 159 | check_3_1_18="3.1.18 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate" 160 | if check_argument 'federation-apiserver' '--etcd-certfile' >/dev/null 2>&1; then 161 | if check_argument 'federation-apiserver' '--etcd-keyfile' >/dev/null 2>&1; then 162 | v1=$(get_argument_value 'federation-apiserver' '--etcd-certfile') 163 | v2=$(get_argument_value 'federation-apiserver' '--etcd-keyfile') 164 | pass "$check_3_1_18" 165 | pass " * etcd-certfile: $v1" 166 | pass " * etcd-keyfile: $v2" 167 | else 168 | warn "$check_3_1_18" 169 | fi 170 | else 171 | warn "$check_3_1_18" 172 | fi 173 | 174 | check_3_1_19="3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" 175 | if check_argument 'federation-apiserver' '--tls-cert-file' >/dev/null 2>&1; then 176 | if check_argument 'federation-apiserver' '--tls-private-key-file' >/dev/null 2>&1; then 177 | v1=$(get_argument_value 'federation-apiserver' '--tls-cert-file') 178 | v2=$(get_argument_value 'federation-apiserver' '--tls-private-key-file') 179 | pass "$check_3_1_19" 180 | pass " * tls-cert-file: $v1" 181 | pass " * tls-private-key-file: $v2" 182 | else 183 | warn "$check_3_1_19" 184 | fi 185 | else 186 | warn "$check_3_1_19" 187 | fi 188 | 189 | 190 | -------------------------------------------------------------------------------- /1.0.0/federation/federation_2_controller_manager.sh: -------------------------------------------------------------------------------- 1 | info "3.2 - Federation Controller Manager" 2 | 3 | check_3_2_1="Ensure that the --profiling argument is set to false" 4 | if check_argument 'federation-controller-manager' '--profiling=false' >/dev/null 2>&1; then 5 | pass "$check_3_2_1" 6 | else 7 | warn "$check_3_2_1" 8 | fi 9 | 10 | -------------------------------------------------------------------------------- /1.0.0/master/master_1_api_server.sh: -------------------------------------------------------------------------------- 1 | info "1.1 - API Server" 2 | 3 | check_1_1_1="1.1.1 - Ensure that the --allow-privileged argument is set to false" 4 | if check_argument "$CIS_APISERVER_CMD" '--allow-privileged=false' >/dev/null 2>&1; then 5 | pass "$check_1_1_1" 6 | else 7 | warn "$check_1_1_1" 8 | fi 9 | 10 | check_1_1_2="1.1.2 - Ensure that the --anonymous-auth argument is set to false" 11 | if check_argument "$CIS_APISERVER_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 12 | pass "$check_1_1_2" 13 | else 14 | warn "$check_1_1_2" 15 | fi 16 | 17 | check_1_1_3="1.1.3 - Ensure that the --basic-auth-file argument is not set" 18 | if check_argument "$CIS_APISERVER_CMD" '--basic-auth-file' >/dev/null 2>&1; then 19 | warn "$check_1_1_3" 20 | else 21 | pass "$check_1_1_3" 22 | fi 23 | 24 | check_1_1_4="1.1.4 - Ensure that the --insecure-allow-any-token argument is not set" 25 | if check_argument "$CIS_APISERVER_CMD" '--insecure-allow-any-token' >/dev/null 2>&1; then 26 | warn "$check_1_1_4" 27 | else 28 | pass "$check_1_1_4" 29 | fi 30 | 31 | check_1_1_5="1.1.5 - Ensure that the --kubelet-https argument is set to true" 32 | if check_argument "$CIS_APISERVER_CMD" '--kubelet-https=false' >/dev/null 2>&1; then 33 | warn "$check_1_1_5" 34 | else 35 | pass "$check_1_1_5" 36 | fi 37 | 38 | check_1_1_6="1.1.6 - Ensure that the --insecure-bind-address argument is not set" 39 | if check_argument "$CIS_APISERVER_CMD" '--insecure-bind-address' >/dev/null 2>&1; then 40 | address=$(get_argument_value "$CIS_APISERVER_CMD" '--insecure-bind-address'|cut -d " " -f 1) 41 | if [ "$address" = "127.0.0.1" ]; then 42 | pass "$check_1_1_6" 43 | pass " * insecure-bind-address: $address" 44 | else 45 | warn "$check_1_1_6" 46 | warn " * insecure-bind-address: $address" 47 | fi 48 | else 49 | pass "$check_1_1_6" 50 | fi 51 | 52 | check_1_1_7="1.1.7 - Ensure that the --insecure-port argument is set to 0" 53 | if check_argument "$CIS_APISERVER_CMD" '--insecure-port' >/dev/null 2>&1; then 54 | port=$(get_argument_value "$CIS_APISERVER_CMD" '--insecure-port'|cut -d " " -f 1) 55 | if [ "$port" = "0" ]; then 56 | pass "$check_1_1_7" 57 | else 58 | warn "$check_1_1_7" 59 | warn " * insecure-port: $port" 60 | fi 61 | else 62 | warn "$check_1_1_7" 63 | fi 64 | 65 | check_1_1_8="1.1.8 - Ensure that the --secure-port argument is not set to 0" 66 | if check_argument "$CIS_APISERVER_CMD" '--secure-port' >/dev/null 2>&1; then 67 | port=$(get_argument_value "$CIS_APISERVER_CMD" '--secure-port'|cut -d " " -f 1) 68 | if [ "$port" = "0" ]; then 69 | warn "$check_1_1_8" 70 | warn " * secure-port: $port" 71 | else 72 | pass "$check_1_1_8" 73 | fi 74 | else 75 | pass "$check_1_1_8" 76 | fi 77 | 78 | check_1_1_9="1.1.9 - Ensure that the --profiling argument is set to false" 79 | if check_argument "$CIS_APISERVER_CMD" '--profiling=false' >/dev/null 2>&1; then 80 | pass "$check_1_1_9" 81 | else 82 | warn "$check_1_1_9" 83 | fi 84 | 85 | check_1_1_10="1.1.10 - Ensure that the --repair-malformed-updates argument is set to false" 86 | if check_argument "$CIS_APISERVER_CMD" '--repair-malformed-updates=false' >/dev/null 2>&1; then 87 | pass "$check_1_1_10" 88 | else 89 | warn "$check_1_1_10" 90 | fi 91 | 92 | check_1_1_11="1.1.11 - Ensure that the admission control policy is not set to AlwaysAdmit" 93 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'AlwaysAdmit' >/dev/null 2>&1; then 94 | warn "$check_1_1_11" 95 | else 96 | pass "$check_1_1_11" 97 | fi 98 | 99 | check_1_1_12="1.1.12 - Ensure that the admission control policy is set to AlwaysPullImages" 100 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'AlwaysPullImages' >/dev/null 2>&1; then 101 | pass "$check_1_1_12" 102 | else 103 | warn "$check_1_1_12" 104 | fi 105 | 106 | check_1_1_13="1.1.13 - Ensure that the admission control policy is set to DenyEscalatingExec" 107 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'DenyEscalatingExec' >/dev/null 2>&1; then 108 | pass "$check_1_1_13" 109 | else 110 | warn "$check_1_1_13" 111 | fi 112 | 113 | check_1_1_14="1.1.14 - Ensure that the admission control policy is set to SecurityContextDeny" 114 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'SecurityContextDeny' >/dev/null 2>&1; then 115 | pass "$check_1_1_14" 116 | else 117 | warn "$check_1_1_14" 118 | fi 119 | 120 | check_1_1_15="1.1.15 - Ensure that the admission control policy is set to NamespaceLifecycle" 121 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'NamespaceLifecycle' >/dev/null 2>&1; then 122 | pass "$check_1_1_15" 123 | else 124 | warn "$check_1_1_15" 125 | fi 126 | 127 | check_1_1_16="1.1.16 - Ensure that the --audit-log-path argument is set as appropriate" 128 | if check_argument "$CIS_APISERVER_CMD" '--audit-log-path' >/dev/null 2>&1; then 129 | pass "$check_1_1_16" 130 | else 131 | warn "$check_1_1_16" 132 | fi 133 | 134 | check_1_1_17="1.1.17 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate" 135 | if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxage' >/dev/null 2>&1; then 136 | maxage=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxage'|cut -d " " -f 1) 137 | if [ "$maxage" = "30" ]; then 138 | pass "$check_1_1_17" 139 | pass " * audit-log-maxage: $maxage" 140 | else 141 | warn "$check_1_1_17" 142 | warn " * audit-log-maxage: $maxage" 143 | fi 144 | else 145 | warn "$check_1_1_17" 146 | fi 147 | 148 | check_1_1_18="1.1.18 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate" 149 | if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxbackup' >/dev/null 2>&1; then 150 | maxbackup=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxbackup'|cut -d " " -f 1) 151 | if [ "$maxbackup" = "10" ]; then 152 | pass "$check_1_1_18" 153 | pass " * audit-log-maxbackup: $maxbackup" 154 | else 155 | warn "$check_1_1_18" 156 | warn " * audit-log-maxbackup: $maxbackup" 157 | fi 158 | else 159 | warn "$check_1_1_18" 160 | fi 161 | 162 | check_1_1_19="1.1.19 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate" 163 | if check_argument "$CIS_APISERVER_CMD" '--audit-log-maxsize' >/dev/null 2>&1; then 164 | maxsize=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-log-maxsize'|cut -d " " -f 1) 165 | if [ "$maxsize" = "100" ]; then 166 | pass "$check_1_1_19" 167 | pass " * audit-log-maxsize: $maxsize" 168 | else 169 | warn "$check_1_1_19" 170 | warn " * audit-log-maxsize: $maxsize" 171 | fi 172 | else 173 | warn "$check_1_1_19" 174 | fi 175 | 176 | check_1_1_20="1.1.20 - Ensure that the --authorization-mode argument is not set to AlwaysAllow" 177 | if get_argument_value "$CIS_APISERVER_CMD" '--authorization-mode'| grep 'AlwaysAllow' >/dev/null 2>&1; then 178 | warn "$check_1_1_20" 179 | else 180 | pass "$check_1_1_20" 181 | fi 182 | 183 | check_1_1_21="1.1.21 - Ensure that the --token-auth-file parameter is not set" 184 | if check_argument "$CIS_APISERVER_CMD" '--token-auth-file' >/dev/null 2>&1; then 185 | warn "$check_1_1_21" 186 | else 187 | pass "$check_1_1_21" 188 | fi 189 | 190 | check_1_1_22="1.1.22 - Ensure that the --kubelet-certificate-authority argument is set as appropriate" 191 | if check_argument "$CIS_APISERVER_CMD" '--kubelet-certificate-authority' >/dev/null 2>&1; then 192 | pass "$check_1_1_22" 193 | else 194 | warn "$check_1_1_22" 195 | fi 196 | 197 | check_1_1_23="1.1.23 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate" 198 | if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-certificate' >/dev/null 2>&1; then 199 | if check_argument "$CIS_APISERVER_CMD" '--kubelet-client-key' >/dev/null 2>&1; then 200 | certificate=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-certificate') 201 | key=$(get_argument_value "$CIS_APISERVER_CMD" '--kubelet-client-key') 202 | pass "$check_1_1_23" 203 | pass " * kubelet-client-certificate: $certificate" 204 | pass " * kubelet-client-key: $key" 205 | else 206 | warn "$check_1_1_23" 207 | fi 208 | else 209 | warn "$check_1_1_23" 210 | fi 211 | 212 | check_1_1_24="1.1.24 - Ensure that the --service-account-lookup argument is set to true" 213 | if check_argument "$CIS_APISERVER_CMD" '--service-account-lookup' >/dev/null 2>&1; then 214 | pass "$check_1_1_24" 215 | else 216 | warn "$check_1_1_24" 217 | fi 218 | 219 | check_1_1_25="1.1.25 - Ensure that the admission control policy is set to PodSecurityPolicy" 220 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'PodSecurityPolicy' >/dev/null 2>&1; then 221 | pass "$check_1_1_25" 222 | else 223 | warn "$check_1_1_25" 224 | fi 225 | 226 | check_1_1_26="1.1.26 - Ensure that the --service-account-key-file argument is set as appropriate" 227 | if check_argument "$CIS_APISERVER_CMD" '--service-account-key-file' >/dev/null 2>&1; then 228 | file=$(get_argument_value "$CIS_APISERVER_CMD" '--service-account-key-file') 229 | pass "$check_1_1_26" 230 | pass " * service-account-key-file: $file" 231 | else 232 | warn "$check_1_1_26" 233 | fi 234 | 235 | check_1_1_27="1.1.27 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate" 236 | if check_argument "$CIS_APISERVER_CMD" '--etcd-certfile' >/dev/null 2>&1; then 237 | if check_argument "$CIS_APISERVER_CMD" '--etcd-keyfile' >/dev/null 2>&1; then 238 | certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-certfile') 239 | keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-keyfile') 240 | pass "$check_1_1_27" 241 | pass " * etcd-certfile: $certfile" 242 | pass " * etcd-keyfile: $keyfile" 243 | else 244 | warn "$check_1_1_27" 245 | fi 246 | else 247 | warn "$check_1_1_27" 248 | fi 249 | 250 | check_1_1_28="1.1.28 - Ensure that the admission control policy is set to ServiceAccount" 251 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'ServiceAccount' >/dev/null 2>&1; then 252 | pass "$check_1_1_28" 253 | else 254 | warn "$check_1_1_28" 255 | fi 256 | 257 | check_1_1_29="1.1.29 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" 258 | if check_argument "$CIS_APISERVER_CMD" '--tls-cert-file' >/dev/null 2>&1; then 259 | if check_argument "$CIS_APISERVER_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 260 | certfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cert-file') 261 | keyfile=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-private-key-file') 262 | pass "$check_1_1_29" 263 | pass " * tls-cert-file: $certfile" 264 | pass " * tls-private-key-file: $keyfile" 265 | else 266 | warn "$check_1_1_29" 267 | fi 268 | else 269 | warn "$check_1_1_29" 270 | fi 271 | 272 | check_1_1_30="1.1.30 - Ensure that the --client-ca-file argument is set as appropriate" 273 | if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then 274 | cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') 275 | pass "$check_1_1_30" 276 | pass " * client-ca-file: $cafile" 277 | else 278 | warn "$check_1_1_30" 279 | fi 280 | 281 | check_1_1_31="1.1.31 - Ensure that the --etcd-cafile argument is set as appropriate" 282 | if check_argument "$CIS_APISERVER_CMD" '--etcd-cafile' >/dev/null 2>&1; then 283 | cafile=$(get_argument_value "$CIS_APISERVER_CMD" '--etcd-cafile') 284 | pass "$check_1_1_31" 285 | pass " * etcd-cafile: $cafile" 286 | else 287 | warn "$check_1_1_31" 288 | fi 289 | 290 | check_1_1_32="1.1.32 - Ensure that the admission control policy is set to NodeRestriction" 291 | if get_argument_value "$CIS_APISERVER_CMD" '--admission-control'| grep 'NodeRestriction' >/dev/null 2>&1; then 292 | pass "$check_1_1_32" 293 | else 294 | warn "$check_1_1_32" 295 | fi 296 | 297 | check_1_1_33="1.1.33 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate" 298 | if get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then 299 | pass "$check_1_1_33" 300 | else 301 | warn "$check_1_1_33" 302 | fi 303 | 304 | check_1_1_34="1.1.34 - Ensure that the encryption provider is set to aescbc" 305 | if get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config'| grep 'EncryptionConfig' >/dev/null 2>&1; then 306 | encryptionConfig=$(get_argument_value "$CIS_APISERVER_CMD" '--experimental-encryption-provider-config') 307 | if sed ':a;N;$!ba;s/\n/ /g' $encryptionConfig |grep "providers:\s* - aescbc" >/dev/null 2>&1; then 308 | pass "$check_1_1_34" 309 | else 310 | warn "$check_1_1_34" 311 | fi 312 | else 313 | warn "$check_1_1_34" 314 | fi 315 | -------------------------------------------------------------------------------- /1.0.0/master/master_2_scheduler.sh: -------------------------------------------------------------------------------- 1 | info "1.2 - Scheduler" 2 | 3 | check_1_2_1="1.2.1 - Ensure that the --profiling argument is set to false" 4 | if check_argument "$CIS_SCHEDULER_CMD" '--profiling=false' >/dev/null 2>&1; then 5 | pass "$check_1_2_1" 6 | else 7 | warn "$check_1_2_1" 8 | fi 9 | 10 | -------------------------------------------------------------------------------- /1.0.0/master/master_3_contoller_manager.sh: -------------------------------------------------------------------------------- 1 | info "1.3 - Controller Manager" 2 | 3 | check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate" 4 | if check_argument "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold' >/dev/null 2>&1; then 5 | threshold=$(get_argument_value "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold') 6 | pass "$check_1_3_1" 7 | pass " * terminated-pod-gc-threshold: $threshold" 8 | else 9 | warn "$check_1_3_1" 10 | fi 11 | 12 | check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false" 13 | if check_argument "$CIS_MANAGER_CMD" '--profiling=false' >/dev/null 2>&1; then 14 | pass "$check_1_3_2" 15 | else 16 | warn "$check_1_3_2" 17 | fi 18 | 19 | check_1_3_3="1.3.3 - Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set" 20 | if check_argument "$CIS_MANAGER_CMD" '--insecure-experimental-approve-all-kubelet-csrs-for-group' >/dev/null 2>&1; then 21 | warn "$check_1_3_3" 22 | else 23 | pass "$check_1_3_3" 24 | fi 25 | 26 | check_1_3_4="1.3.4 - Ensure that the --use-service-account-credentials argument is set to true" 27 | if check_argument "$CIS_MANAGER_CMD" '--use-service-account-credentials' >/dev/null 2>&1; then 28 | pass "$check_1_3_4" 29 | else 30 | warn "$check_1_3_4" 31 | fi 32 | 33 | check_1_3_5="1.3.5 - Ensure that the --service-account-private-key-file argument is set as appropriate" 34 | if check_argument "$CIS_MANAGER_CMD" '--service-account-private-key-file' >/dev/null 2>&1; then 35 | keyfile=$(get_argument_value "$CIS_MANAGER_CMD" '--service-account-private-key-file') 36 | pass "$check_1_3_5" 37 | pass " * service-account-private-key-file: $keyfile" 38 | else 39 | warn "$check_1_3_5" 40 | fi 41 | 42 | check_1_3_6="1.3.6 - Ensure that the --root-ca-file argument is set as appropriate" 43 | if check_argument "$CIS_MANAGER_CMD" '--root-ca-file' >/dev/null 2>&1; then 44 | cafile=$(get_argument_value "$CIS_MANAGER_CMD" '--root-ca-file') 45 | pass "$check_1_3_6" 46 | pass " * root-ca-file: $cafile" 47 | else 48 | warn "$check_1_3_6" 49 | fi 50 | -------------------------------------------------------------------------------- /1.0.0/master/master_4_configuration_files.sh: -------------------------------------------------------------------------------- 1 | info "1.4 - Configuration Files" 2 | 3 | check_1_4_1="1.4.1 - Ensure that the apiserver file permissions are set to 644 or more restrictive" 4 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 5 | file="/etc/kubernetes/manifests/kube-apiserver.json" 6 | else 7 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 8 | fi 9 | if [ -f $file ]; then 10 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 11 | pass "$check_1_4_1" 12 | else 13 | warn "$check_1_4_1" 14 | warn " * Wrong permissions for $file" 15 | fi 16 | else 17 | info "$check_1_4_1" 18 | info " * File not found" 19 | fi 20 | 21 | check_1_4_2="1.4.2 - Ensure that the apiserver file ownership is set to root:root" 22 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 23 | file="/etc/kubernetes/manifests/kube-apiserver.json" 24 | else 25 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 26 | fi 27 | if [ -f $file ]; then 28 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 29 | pass "$check_1_4_2" 30 | else 31 | warn "$check_1_4_2" 32 | warn " * Wrong ownership for $file" 33 | fi 34 | else 35 | info "$check_1_4_2" 36 | fi 37 | 38 | check_1_4_3="1.4.3 - Ensure that the config file permissions are set to 644 or more restrictive" 39 | file="/etc/kubernetes/admin.conf" 40 | if [ -f $file ]; then 41 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 42 | pass "$check_1_4_3" 43 | else 44 | warn "$check_1_4_3" 45 | warn " * Wrong permissions for $file" 46 | fi 47 | else 48 | info "$check_1_4_3" 49 | info " * File not found" 50 | fi 51 | 52 | check_1_4_4="1.4.4 - Ensure that the config file ownership is set to root:root" 53 | file="/etc/kubernetes/admin.conf" 54 | if [ -f $file ]; then 55 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 56 | pass "$check_1_4_4" 57 | else 58 | warn "$check_1_4_4" 59 | warn " * Wrong ownership for $file" 60 | fi 61 | else 62 | info "$check_1_4_4" 63 | info " * File not found" 64 | fi 65 | 66 | check_1_4_5="1.4.5 - Ensure that the scheduler file permissions are set to 644 or more restrictive" 67 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 68 | file="/etc/kubernetes/manifests/kube-scheduler.json" 69 | else 70 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 71 | fi 72 | if [ -f $file ]; then 73 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 74 | pass "$check_1_4_5" 75 | else 76 | warn "$check_1_4_5" 77 | warn " * Wrong permissions for $file" 78 | fi 79 | else 80 | info "$check_1_4_5" 81 | info " * File not found" 82 | fi 83 | 84 | check_1_4_6="1.4.6 - Ensure that the scheduler file ownership is set to root:root" 85 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 86 | file="/etc/kubernetes/manifests/kube-scheduler.json" 87 | else 88 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 89 | fi 90 | if [ -f $file ]; then 91 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 92 | pass "$check_1_4_6" 93 | else 94 | warn "$check_1_4_6" 95 | warn " * Wrong ownership for $file" 96 | fi 97 | else 98 | info "$check_1_4_6" 99 | info " * File not found" 100 | fi 101 | 102 | check_1_4_7="1.4.7 - Ensure that the etcd.conf file permissions are set to 644 or more restrictive" 103 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 104 | file="/etc/kubernetes/manifests/etcd.json" 105 | else 106 | file="/etc/kubernetes/manifests/etcd.yaml" 107 | fi 108 | if [ -f $file ]; then 109 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 110 | pass "$check_1_4_7" 111 | else 112 | warn "$check_1_4_7" 113 | warn " * Wrong permissions for $file" 114 | fi 115 | else 116 | info "$check_1_4_7" 117 | info " * File not found" 118 | fi 119 | 120 | check_1_4_8="1.4.8 - Ensure that the etcd.conf file ownership is set to root:root" 121 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 122 | file="/etc/kubernetes/manifests/etcd.json" 123 | else 124 | file="/etc/kubernetes/manifests/etcd.yaml" 125 | fi 126 | if [ -f $file ]; then 127 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 128 | pass "$check_1_4_8" 129 | else 130 | warn "$check_1_4_8" 131 | warn " * Wrong ownership for $file" 132 | fi 133 | else 134 | info "$check_1_4_8" 135 | fi 136 | 137 | #TODO 138 | check_1_4_9="1.4.9 - Ensure that the flanneld file permissions are set to 644 or more restrictive" 139 | check_1_4_10="1.4.10 - Ensure that the flanneld file ownership is set to root:root" 140 | check_1_4_11="1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive" 141 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 142 | if [ -d $directory ]; then 143 | if [ "$(stat -c %a $directory)" -eq 700 ]; then 144 | pass "$check_1_4_11" 145 | else 146 | warn "$check_1_4_11" 147 | perm=$(stat -c %a $directory) 148 | warn " * Wrong permissions for $directory:$perm" 149 | fi 150 | else 151 | warn "$check_1_4_11" 152 | warn " * Directory not found:$directory" 153 | fi 154 | 155 | check_1_4_12="1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd" 156 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 157 | if [ -d $directory ]; then 158 | if [ "$(stat -c %U:%G $directory)" = "etcd:etcd" ]; then 159 | pass "$check_1_4_12" 160 | else 161 | warn "$check_1_4_12" 162 | owner=$(stat -c %U:%G $directory) 163 | warn " * Wrong ownership for $directory:$owner" 164 | fi 165 | else 166 | warn "$check_1_4_12" 167 | warn " * Directory not found:$directory" 168 | fi 169 | -------------------------------------------------------------------------------- /1.0.0/master/master_5_etcd.sh: -------------------------------------------------------------------------------- 1 | info "1.5 - etcd" 2 | 3 | check_1_5_1="1.5.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" 4 | if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then 5 | if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then 6 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') 7 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') 8 | pass "$check_1_5_1" 9 | pass " * cert-file: $cfile" 10 | pass " * key-file: $kfile" 11 | else 12 | warn "$check_1_5_1" 13 | fi 14 | else 15 | warn "$check_1_5_1" 16 | fi 17 | 18 | check_1_5_2="1.5.2 - Ensure that the --client-cert-auth argument is set to true (Scored)" 19 | if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then 20 | pass "$check_1_5_2" 21 | else 22 | warn "$check_1_5_2" 23 | fi 24 | 25 | check_1_5_3="1.5.3 - Ensure that the --auto-tls argument is not set to true (Scored)" 26 | if check_argument "$CIS_ETCD_CMD" '--auto-tls=tru' >/dev/null 2>&1; then 27 | warn "$check_1_5_3" 28 | else 29 | pass "$check_1_5_3" 30 | fi 31 | 32 | check_1_5_4="1.5.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" 33 | if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then 34 | if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then 35 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') 36 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') 37 | pass "$check_1_5_4" 38 | pass " * peer-cert-file: $cfile" 39 | pass " * peer-key-file: $kfile" 40 | else 41 | warn "$check_1_5_4" 42 | fi 43 | else 44 | warn "$check_1_5_4" 45 | fi 46 | 47 | check_1_5_5="1.5.5 - Ensure that the --peer-client-cert-auth argument is set to true (Scored)" 48 | if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth' >/dev/null 2>&1; then 49 | pass "$check_1_5_5" 50 | else 51 | warn "$check_1_5_5" 52 | fi 53 | 54 | check_1_5_6="1.5.6 - Ensure that the --peer-auto-tls argument is not set to true (Scored)" 55 | if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then 56 | warn "$check_1_5_6" 57 | else 58 | pass "$check_1_5_6" 59 | fi 60 | 61 | check_1_5_7="1.5.7 - Ensure that the --wal-dir argument is set as appropriate (Scored)" 62 | if check_argument "$CIS_ETCD_CMD" '--wal-dir' >/dev/null 2>&1; then 63 | wdir=$(get_argument_value "$CIS_ETCD_CMD" '--wal-dir') 64 | pass "$check_1_5_7" 65 | pass " * wal-dir: $wdir" 66 | else 67 | warn "$check_1_5_7" 68 | fi 69 | 70 | check_1_5_8="1.5.8 - Ensure that the --max-wals argument is set to 0 (Scored)" 71 | if check_argument "$CIS_ETCD_CMD" '--max-wals=0' >/dev/null 2>&1; then 72 | pass "$check_1_5_8" 73 | else 74 | warn "$check_1_5_8" 75 | fi 76 | 77 | #TODO 78 | check_1_5_9="1.5.9 - Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 79 | -------------------------------------------------------------------------------- /1.0.0/master/master_6_general_security_primitives.sh: -------------------------------------------------------------------------------- 1 | info "1.6 - General Security Primitives" 2 | 3 | # Make the loop separator be a new-line in POSIX compliant fashion 4 | set -f; IFS=$' 5 | ' 6 | 7 | check_1_6_1="1.6.1 - Ensure that the cluster-admin role is only used where required(Not Scored)" 8 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 9 | info $check_1_6_1 10 | for admin in $cluster_admins; do 11 | info " * $admin" 12 | done 13 | 14 | check_1_6_2="1.6.2 - Create Pod Security Policies for your cluster (Not Scored)" 15 | policies=$(kubectl get psp) 16 | info $check_1_6_2 17 | for policy in $policies; do 18 | info " * $policy" 19 | done 20 | 21 | check_1_6_3="1.6.3 - Create administrative boundaries between resources using namespaces (Not Scored)" 22 | namespaces=$(kubectl get namespaces) 23 | info $check_1_6_3 24 | for namespace in $namespaces; do 25 | info " * $namespace" 26 | done 27 | 28 | check_1_6_4="1.6.4 - Create network segmentation using Network Policies (Not Scored)" 29 | policies=$(kubectl get pods --namespace=kube-system) 30 | info $check_1_6_4 31 | for policy in $policies; do 32 | info " * $policy" 33 | done 34 | 35 | check_1_6_5="1.6.5 - Avoid using Kubernetes Secrets (Not Scored)" 36 | secrets=$(kubectl get secrets) 37 | info $check_1_6_5 38 | for secret in $secrets; do 39 | info " * $secret" 40 | done 41 | 42 | #TODO 43 | check_1_6_6="1.6.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 44 | info $check_1_6_6 45 | check_1_6_7="1.6.7 - Apply Security Context to Your Pods and Containers (Not Scored)" 46 | info $check_1_6_7 47 | check_1_6_8="1.6.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 48 | info $check_1_6_8 49 | -------------------------------------------------------------------------------- /1.0.0/worker/worker_1_kubelet.sh: -------------------------------------------------------------------------------- 1 | info "2.1 - Kubelet" 2 | 3 | check_2_1_1="2.1.1 - Ensure that the --allow-privileged argument is set to false" 4 | if check_argument "$CIS_KUBELET_CMD" '--allow-privileged=false' >/dev/null 2>&1; then 5 | pass "$check_2_1_1" 6 | else 7 | warn "$check_2_1_1" 8 | fi 9 | 10 | check_2_1_2="2.1.2 - Ensure that the --anonymous-auth argument is set to false" 11 | if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 12 | pass "$check_2_1_2" 13 | else 14 | warn "$check_2_1_2" 15 | fi 16 | 17 | check_2_1_3="2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow" 18 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 19 | warn "$check_2_1_3" 20 | else 21 | pass "$check_2_1_3" 22 | fi 23 | 24 | check_2_1_4="2.1.4 - Ensure that the --client-ca-file argument is set as appropriate" 25 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 26 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 27 | pass "$check_2_1_4" 28 | pass " * client-ca-file: $cafile" 29 | else 30 | warn "$check_2_1_4" 31 | fi 32 | 33 | check_2_1_5="2.1.5 - Ensure that the --read-only-port argument is set to 0" 34 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 35 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 36 | if [ $port = "0" ]; then 37 | pass "$check_2_1_5" 38 | else 39 | warn "$check_2_1_5" 40 | warn " * read-only-port: $port" 41 | fi 42 | else 43 | warn "$check_2_1_5" 44 | fi 45 | 46 | check_2_1_6="2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0" 47 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 48 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 49 | warn "$check_2_1_6" 50 | warn " * streaming-connection-idle-timeout: $timeout" 51 | else 52 | pass "$check_2_1_6" 53 | fi 54 | 55 | check_2_1_7="2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true" 56 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 57 | pass "$check_2_1_7" 58 | else 59 | warn "$check_2_1_7" 60 | fi 61 | 62 | check_2_1_8="2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true" 63 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 64 | pass "$check_2_1_8" 65 | else 66 | warn "$check_2_1_8" 67 | fi 68 | 69 | check_2_1_9="2.1.9 - Ensure that the --keep-terminated-pod-volumes argument is set to false" 70 | if check_argument "$CIS_KUBELET_CMD" '--keep-terminated-pod-volumes=false' >/dev/null 2>&1; then 71 | pass "$check_2_1_9" 72 | else 73 | warn "$check_2_1_9" 74 | fi 75 | 76 | check_2_1_10="2.1.10 - Ensure that the --hostname-override argument is not set" 77 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 78 | warn "$check_2_1_10" 79 | else 80 | pass "$check_2_1_10" 81 | fi 82 | 83 | check_2_1_11="2.1.11 - Ensure that the --event-qps argument is set to 0" 84 | if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then 85 | event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) 86 | if [ $event = "0" ]; then 87 | pass "$check_2_1_11" 88 | else 89 | warn "$check_2_1_11" 90 | warn " * event-qps: $event" 91 | fi 92 | else 93 | warn "$check_2_1_11" 94 | fi 95 | 96 | check_2_1_12="2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" 97 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 98 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 99 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 100 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 101 | pass "$check_2_1_12" 102 | pass " * tls-cert-file: $cfile" 103 | pass " * tls-private-key-file: $kfile" 104 | else 105 | warn "$check_2_1_12" 106 | fi 107 | else 108 | warn "$check_2_1_12" 109 | fi 110 | 111 | check_2_1_13="2.1.13 - Ensure that the --cadvisor-port argument is set to 0" 112 | if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then 113 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) 114 | if [ $port = "0" ]; then 115 | pass "$check_2_1_13" 116 | else 117 | warn "$check_2_1_13" 118 | warn " * cadvisor-port: $port" 119 | fi 120 | else 121 | warn "$check_2_1_13" 122 | fi 123 | 124 | -------------------------------------------------------------------------------- /1.0.0/worker/worker_2_configure_files.sh: -------------------------------------------------------------------------------- 1 | info "2.2 - Configuration Files" 2 | 3 | check_2_2_1="2.2.1 - Ensure that the config file permissions are set to 644 or more restrictive" 4 | if [ -f "/etc/kubernetes/config" ]; then 5 | file="/etc/kubernetes/config" 6 | else 7 | file="/etc/kubernetes/kubelet.conf" 8 | fi 9 | 10 | if [ -f "$file" ]; then 11 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then 12 | pass "$check_2_2_1" 13 | else 14 | warn "$check_2_2_1" 15 | warn " * Wrong permissions for $file" 16 | fi 17 | else 18 | info "$check_2_2_1" 19 | info " * File not found" 20 | fi 21 | 22 | check_2_2_2="2.2.2 - Ensure that the config file ownership is set to root:root" 23 | if [ -f "$file" ]; then 24 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 25 | pass "$check_2_2_2" 26 | else 27 | warn "$check_2_2_2" 28 | warn " * Wrong ownership for $file" 29 | fi 30 | else 31 | info "$check_2_2_2" 32 | fi 33 | 34 | check_2_2_3="2.2.3 - Ensure that the kubelet file permissions are set to 644 or more restrictive" 35 | if [ -f "/etc/kubernetes/kubelet" ]; then 36 | file="/etc/kubernetes/kubelet" 37 | else 38 | file="/etc/kubernetes/kubelet.conf" 39 | fi 40 | 41 | if [ -f "$file" ]; then 42 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then 43 | pass "$check_2_2_3" 44 | else 45 | warn "$check_2_2_3" 46 | warn " * Wrong permissions for $file" 47 | fi 48 | else 49 | info "$check_2_2_3" 50 | info " * File not found" 51 | fi 52 | 53 | check_2_2_4="2.2.4 - Ensure that the kubelet file ownership is set to root:root" 54 | if [ -f "$file" ]; then 55 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 56 | pass "$check_2_2_4" 57 | else 58 | warn "$check_2_2_4" 59 | warn " * Wrong ownership for $file" 60 | fi 61 | else 62 | info "$check_2_2_4" 63 | fi 64 | 65 | check_2_2_5="2.2.5 - Ensure that the proxy file permissions are set to 644 or more restrictive" 66 | file="/etc/kubernetes/proxy" 67 | 68 | if [ -f "$file" ]; then 69 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then 70 | pass "$check_2_2_5" 71 | else 72 | warn "$check_2_2_5" 73 | warn " * Wrong permissions for $file" 74 | fi 75 | else 76 | info "$check_2_2_5" 77 | info " * File not found" 78 | fi 79 | 80 | check_2_2_6="2.2.6 - Ensure that the proxy file ownership is set to root:root" 81 | if [ -f "$file" ]; then 82 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 83 | pass "$check_2_2_6" 84 | else 85 | warn "$check_2_2_6" 86 | warn " * Wrong ownership for $file" 87 | fi 88 | else 89 | info "$check_2_2_6" 90 | fi 91 | 92 | 93 | -------------------------------------------------------------------------------- /1.2.0/federation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ------------------------------------------------------------------------------ 3 | # Kubenetes CIS benchmark 1.6 4 | # 5 | # Neuvector, Inc. (c) 2016- 6 | # 7 | # NeuVector delivers an application and network intelligent container security 8 | # solution that automatically adapts to protect running containers. Don’t let 9 | # security concerns slow down your CI/CD processes. 10 | # ------------------------------------------------------------------------------ 11 | # Load dependencies 12 | . ./helper.sh 13 | 14 | # Check for required program(s) 15 | req_progs='grep' 16 | for p in $req_progs; do 17 | command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 18 | done 19 | 20 | # Load all the tests from tests/ and run them 21 | main () { 22 | info "3 - Federated Deployments" 23 | 24 | for test in federation/federation_*.sh 25 | do 26 | . ./"$test" 27 | done 28 | } 29 | 30 | main "$@" 31 | 32 | -------------------------------------------------------------------------------- /1.2.0/federation/check_federation.sh: -------------------------------------------------------------------------------- 1 | 2 | if ps -ef | grep federation-apiserver 2>/dev/null | grep -v "grep" >/dev/null 2>&1; then 3 | info "Kubernetes Federated Deployments" 4 | else 5 | info "This node is not a Kubernetes Federated node" 6 | exit 2 7 | fi 8 | 9 | -------------------------------------------------------------------------------- /1.2.0/federation/federation_1_api_server.sh: -------------------------------------------------------------------------------- 1 | info "3.1 - Federation API Server" 2 | 3 | check_3_1_1="3.1.1 Ensure that the --anonymous-auth argument is set to false" 4 | if check_argument 'federation-apiserver' '--anonymous-auth=false' >/dev/null 2>&1; then 5 | pass "$check_3_1_1" 6 | else 7 | warn "$check_3_1_1" 8 | fi 9 | 10 | check_3_1_=2"3.1.2 Ensure that the --basic-auth-file argument is not set" 11 | if check_argument 'federation-apiserver' '--basic-auth-file' >/dev/null 2>&1; then 12 | warn "$check_3_1_2" 13 | else 14 | pass "$check_3_1_2" 15 | fi 16 | 17 | check_3_1_3="3.1.3 Ensure that the --insecure-allow-any-token argument is not set" 18 | if check_argument 'federation-apiserver' '--insecure-allow-any-token' >/dev/null 2>&1; then 19 | warn "$check_3_1_3" 20 | else 21 | pass "$check_3_1_3" 22 | fi 23 | 24 | check_3_1_4="3.1.4 Ensure that the --insecure-bind-address argument is not set" 25 | if check_argument 'federation-apiserver' '--insecure-bind-address' >/dev/null 2>&1; then 26 | warn "$check_3_1_4" 27 | else 28 | pass "$check_3_1_4" 29 | fi 30 | 31 | check_3_1_5="3.1.5 Ensure that the --insecure-port argument is set to 0" 32 | if check_argument 'federation-apiserver' '--insecure-port' >/dev/null 2>&1; then 33 | port=$(get_argument_value 'federation-apiserver' '--insecure-port'|cut -d " " -f 1) 34 | if [ "$port" = "0" ]; then 35 | pass "$check_3_1_5" 36 | else 37 | warn "$check_3_1_5" 38 | warn " * insecure-port: $port" 39 | fi 40 | else 41 | warn "$check_3_1_5" 42 | fi 43 | 44 | check_3_1_6="3.1.6 Ensure that the --secure-port argument is not set to 0" 45 | if check_argument 'federation-apiserver' '--secure-port' >/dev/null 2>&1; then 46 | port=$(get_argument_value 'federation-apiserver' '--secure-port'|cut -d " " -f 1) 47 | if [ "$port" = "0" ]; then 48 | warn "$check_3_1_6" 49 | warn " * secure-port: $port" 50 | else 51 | pass "$check_3_1_6" 52 | fi 53 | else 54 | pass "$check_3_1_6" 55 | fi 56 | 57 | check_3_1_7="3.1.7 Ensure that the --profiling argument is set to false" 58 | if check_argument 'federation-apiserver' '--profiling=false' >/dev/null 2>&1; then 59 | pass "$check_3_1_7" 60 | else 61 | warn "$check_3_1_7" 62 | fi 63 | 64 | check_3_1_8="3.1.8 Ensure that the admission control policy is not set to AlwaysAdmit" 65 | if get_argument_value 'federation-apiserver' '--admission-control'| grep 'AlwaysAdmit' >/dev/null 2>&1; then 66 | warn "$check_3_1_8" 67 | else 68 | pass "$check_3_1_8" 69 | fi 70 | 71 | check_3_1_9="3.1.9 Ensure that the admission control policy is set to NamespaceLifecycle" 72 | if get_argument_value 'federation-apiserver' '--admission-control'| grep 'NamespaceLifecycle' >/dev/null 2>&1; then 73 | pass "$check_3_1_9" 74 | else 75 | warn "$check_3_1_9" 76 | fi 77 | 78 | check_3_1_10="3.1.10 Ensure that the --audit-log-path argument is set as appropriate" 79 | if check_argument 'federation-apiserver' '--audit-log-path' >/dev/null 2>&1; then 80 | v=$(get_argument_value 'federation-apiserver' '--audit-log-path') 81 | pass "$check_3_1_10" 82 | pass " * audit-log-path: $v" 83 | else 84 | warn "$check_3_1_10" 85 | fi 86 | 87 | check_3_1_11="3.1.11 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate" 88 | if check_argument 'federation-apiserver' '--audit-log-maxage' >/dev/null 2>&1; then 89 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxage'|cut -d " " -f 1) 90 | if [ "$v" = "30" ]; then 91 | pass "$check_3_1_11" 92 | pass " * audit-log-maxage: $v" 93 | else 94 | warn "$check_3_1_11" 95 | warn " * audit-log-maxage: $v" 96 | fi 97 | else 98 | warn "$check_3_1_11" 99 | fi 100 | 101 | check_3_1_12="3.1.12 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate" 102 | if check_argument 'federation-apiserver' '--audit-log-maxbackup' >/dev/null 2>&1; then 103 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxbackup' |cut -d " " -f 1) 104 | if [ "$v" = "10" ]; then 105 | pass "$check_3_1_12" 106 | pass " * audit-log-maxbackup : $v" 107 | else 108 | warn "$check_3_1_12" 109 | warn " * audit-log-maxbackup : $v" 110 | fi 111 | else 112 | warn "$check_3_1_12" 113 | fi 114 | 115 | check_3_1_13="3.1.13 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate" 116 | if check_argument 'federation-apiserver' '--audit-log-maxsize' >/dev/null 2>&1; then 117 | v=$(get_argument_value 'federation-apiserver' '--audit-log-maxsize' |cut -d " " -f 1) 118 | if [ "$v" = "100" ]; then 119 | pass "$check_3_1_13" 120 | pass " * audit-log-maxsize : $v" 121 | else 122 | warn "$check_3_1_13" 123 | warn " * audit-log-maxsize : $v" 124 | fi 125 | else 126 | warn "$check_3_1_13" 127 | fi 128 | 129 | check_3_1_14="3.1.14 Ensure that the --authorization-mode argument is not set to AlwaysAllow" 130 | if get_argument_value 'federation-apiserver' '--authorization-mode'| grep 'AlwaysAllow' >/dev/null 2>&1; then 131 | warn "$check_3_1_14" 132 | else 133 | pass "$check_3_1_14" 134 | fi 135 | 136 | check_3_1_15="3.1.15 Ensure that the --token-auth-file parameter is not set" 137 | if check_argument 'federation-apiserver' '--token-auth-file' >/dev/null 2>&1; then 138 | warn "$check_3_1_15" 139 | else 140 | pass "$check_3_1_15" 141 | fi 142 | 143 | check_3_1_16="3.1.16 Ensure that the --service-account-lookup argument is set to true" 144 | if check_argument 'federation-apiserver' '--service-account-lookup=true' >/dev/null 2>&1; then 145 | pass "$check_3_1_16" 146 | else 147 | warn "$check_3_1_16" 148 | fi 149 | 150 | check_3_1_17="3.1.17 Ensure that the --service-account-key-file argument is set as appropriate" 151 | if check_argument 'federation-apiserver' '--service-account-key-file' >/dev/null 2>&1; then 152 | v=$(get_argument_value 'federation-apiserver' '--service-account-key-file') 153 | pass "$check_3_1_17" 154 | pass " * service-account-key-file: $v" 155 | else 156 | warn "$check_3_1_17" 157 | fi 158 | 159 | check_3_1_18="3.1.18 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate" 160 | if check_argument 'federation-apiserver' '--etcd-certfile' >/dev/null 2>&1; then 161 | if check_argument 'federation-apiserver' '--etcd-keyfile' >/dev/null 2>&1; then 162 | v1=$(get_argument_value 'federation-apiserver' '--etcd-certfile') 163 | v2=$(get_argument_value 'federation-apiserver' '--etcd-keyfile') 164 | pass "$check_3_1_18" 165 | pass " * etcd-certfile: $v1" 166 | pass " * etcd-keyfile: $v2" 167 | else 168 | warn "$check_3_1_18" 169 | fi 170 | else 171 | warn "$check_3_1_18" 172 | fi 173 | 174 | check_3_1_19="3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" 175 | if check_argument 'federation-apiserver' '--tls-cert-file' >/dev/null 2>&1; then 176 | if check_argument 'federation-apiserver' '--tls-private-key-file' >/dev/null 2>&1; then 177 | v1=$(get_argument_value 'federation-apiserver' '--tls-cert-file') 178 | v2=$(get_argument_value 'federation-apiserver' '--tls-private-key-file') 179 | pass "$check_3_1_19" 180 | pass " * tls-cert-file: $v1" 181 | pass " * tls-private-key-file: $v2" 182 | else 183 | warn "$check_3_1_19" 184 | fi 185 | else 186 | warn "$check_3_1_19" 187 | fi 188 | 189 | 190 | -------------------------------------------------------------------------------- /1.2.0/federation/federation_2_controller_manager.sh: -------------------------------------------------------------------------------- 1 | info "3.2 - Federation Controller Manager" 2 | 3 | check_3_2_1="Ensure that the --profiling argument is set to false" 4 | if check_argument 'federation-controller-manager' '--profiling=false' >/dev/null 2>&1; then 5 | pass "$check_3_2_1" 6 | else 7 | warn "$check_3_2_1" 8 | fi 9 | 10 | -------------------------------------------------------------------------------- /1.2.0/master.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # ------------------------------------------------------------------------------ 4 | # Kubenetes CIS benchmark 1.6 5 | # 6 | # Neuvector, Inc. (c) 2016- 7 | # ------------------------------------------------------------------------------ 8 | 9 | # Load dependencies 10 | . ./helper.sh 11 | 12 | # Check for required program(s) 13 | req_progs='grep' 14 | for p in $req_progs; do 15 | command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 16 | done 17 | 18 | # Load all the tests from master/ and run them 19 | main () { 20 | for test in master/master_*.sh 21 | do 22 | . ./"$test" 23 | done 24 | } 25 | 26 | main "$@" 27 | -------------------------------------------------------------------------------- /1.2.0/master/master_2_scheduler.sh: -------------------------------------------------------------------------------- 1 | info "1.2 - Scheduler" 2 | 3 | check_1_2_1="1.2.1 - Ensure that the --profiling argument is set to false" 4 | if check_argument "$CIS_SCHEDULER_CMD" '--profiling=false' >/dev/null 2>&1; then 5 | pass "$check_1_2_1" 6 | else 7 | warn "$check_1_2_1" 8 | fi 9 | 10 | -------------------------------------------------------------------------------- /1.2.0/master/master_3_contoller_manager.sh: -------------------------------------------------------------------------------- 1 | info "1.3 - Controller Manager" 2 | 3 | check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate" 4 | # Filter out processes like "/bin/tee -a /var/log/kube-controller-manager.log" 5 | # which exist on kops-managed clusters. 6 | if check_argument "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold' >/dev/null 2>&1; then 7 | threshold=$(get_argument_value "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold') 8 | pass "$check_1_3_1" 9 | pass " * terminated-pod-gc-threshold: $threshold" 10 | else 11 | echo "done" 12 | warn "$check_1_3_1" 13 | fi 14 | 15 | check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false" 16 | if check_argument "$CIS_MANAGER_CMD" '--profiling=false' >/dev/null 2>&1; then 17 | pass "$check_1_3_2" 18 | else 19 | warn "$check_1_3_2" 20 | fi 21 | 22 | check_1_3_3="1.3.3 - Ensure that the --use-service-account-credentials argument is set to true" 23 | if check_argument "$CIS_MANAGER_CMD" '--use-service-account-credentials' >/dev/null 2>&1; then 24 | pass "$check_1_3_3" 25 | else 26 | warn "$check_1_3_3" 27 | fi 28 | 29 | check_1_3_4="1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate" 30 | if check_argument "$CIS_MANAGER_CMD" '--service-account-private-key-file' >/dev/null 2>&1; then 31 | keyfile=$(get_argument_value "$CIS_MANAGER_CMD" '--service-account-private-key-file') 32 | pass "$check_1_3_4" 33 | pass " * service-account-private-key-file: $keyfile" 34 | else 35 | warn "$check_1_3_4" 36 | fi 37 | 38 | check_1_3_5="1.3.5 - Ensure that the --root-ca-file argument is set as appropriate" 39 | if check_argument "$CIS_MANAGER_CMD" '--root-ca-file' >/dev/null 2>&1; then 40 | cafile=$(get_argument_value "$CIS_MANAGER_CMD" '--root-ca-file') 41 | pass "$check_1_3_5" 42 | pass " * root-ca-file: $cafile" 43 | else 44 | warn "$check_1_3_5" 45 | fi 46 | -------------------------------------------------------------------------------- /1.2.0/master/master_4_configuration_files.sh: -------------------------------------------------------------------------------- 1 | info "1.4 - Configuration Files" 2 | 3 | check_1_4_1="1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive" 4 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 5 | file="/etc/kubernetes/manifests/kube-apiserver.json" 6 | elif [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then 7 | # kops 8 | file="/etc/kubernetes/manifests/kube-apiserver.manifest" 9 | else 10 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 11 | fi 12 | if [ -f $file ]; then 13 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 14 | pass "$check_1_4_1" 15 | else 16 | warn "$check_1_4_1" 17 | warn " * Wrong permissions for $file" 18 | fi 19 | else 20 | info "$check_1_4_1" 21 | info " * File not found" 22 | fi 23 | 24 | check_1_4_2="1.4.2 - Ensure that the API server pod specification file ownership is set to root:root" 25 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 26 | file="/etc/kubernetes/manifests/kube-apiserver.json" 27 | elif [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then 28 | # kops 29 | file="/etc/kubernetes/manifests/kube-apiserver.manifest" 30 | else 31 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 32 | fi 33 | if [ -f $file ]; then 34 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 35 | pass "$check_1_4_2" 36 | else 37 | warn "$check_1_4_2" 38 | warn " * Wrong ownership for $file" 39 | fi 40 | else 41 | info "$check_1_4_2" 42 | fi 43 | 44 | check_1_4_3="1.4.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive" 45 | if [ -f "/etc/kubernetes/manifests/kube-controller-manager.json" ]; then 46 | file="/etc/kubernetes/manifests/kube-controller-manager.json" 47 | elif [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then 48 | # kops 49 | file="/etc/kubernetes/manifests/kube-controller-manager.manifest" 50 | else 51 | file="/etc/kubernetes/manifests/kube-controller-manager.yaml" 52 | fi 53 | if [ -f $file ]; then 54 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 55 | pass "$check_1_4_3" 56 | else 57 | warn "$check_1_4_3" 58 | warn " * Wrong permissions for $file" 59 | fi 60 | else 61 | info "$check_1_4_3" 62 | info " * File not found" 63 | fi 64 | 65 | check_1_4_4="1.4.4 - Ensure that the controller manager pod specification file ownership is set to root:root" 66 | if [ -f "/etc/kubernetes/manifests/kube-controller-manager.json" ]; then 67 | file="/etc/kubernetes/manifests/kube-controller-manager.json" 68 | elif [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then 69 | # kops 70 | file="/etc/kubernetes/manifests/kube-controller-manager.manifest" 71 | else 72 | file="/etc/kubernetes/manifests/kube-controller-manager.yaml" 73 | fi 74 | if [ -f $file ]; then 75 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 76 | pass "$check_1_4_4" 77 | else 78 | warn "$check_1_4_4" 79 | warn " * Wrong ownership for $file" 80 | fi 81 | else 82 | info "$check_1_4_4" 83 | info " * File not found" 84 | fi 85 | 86 | check_1_4_5="1.4.5 - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive" 87 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 88 | file="/etc/kubernetes/manifests/kube-scheduler.json" 89 | elif [ -f "/etc/kubernetes/manifests/kube-scheduler.manifest" ]; then 90 | # kops 91 | file="/etc/kubernetes/manifests/kube-scheduler.manifest" 92 | else 93 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 94 | fi 95 | if [ -f $file ]; then 96 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 97 | pass "$check_1_4_5" 98 | else 99 | warn "$check_1_4_5" 100 | warn " * Wrong permissions for $file" 101 | fi 102 | else 103 | info "$check_1_4_5" 104 | info " * File not found" 105 | fi 106 | 107 | check_1_4_6="1.4.6 - Ensure that the scheduler pod specification file ownership is set to root:root" 108 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 109 | file="/etc/kubernetes/manifests/kube-scheduler.json" 110 | elif [ -f "/etc/kubernetes/manifests/kube-scheduler.manifest" ]; then 111 | # kops 112 | file="/etc/kubernetes/manifests/kube-scheduler.manifest" 113 | else 114 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 115 | fi 116 | if [ -f $file ]; then 117 | if [ "$(stat -c %U:%G $file)" = "root:root" ]; then 118 | pass "$check_1_4_6" 119 | else 120 | warn "$check_1_4_6" 121 | owner=$(stat -c %U:%G $file) 122 | warn " * Wrong ownership for $file:$owner" 123 | fi 124 | else 125 | info "$check_1_4_6" 126 | info " * File not found" 127 | fi 128 | 129 | check_1_4_7="1.4.7 - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive" 130 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 131 | file="/etc/kubernetes/manifests/etcd.json" 132 | elif [ -f "/etc/kubernetes/manifests/etcd.manifest" ]; then 133 | # kops 134 | # Also this file is a symlink, hence 'stat -L' below. 135 | file="/etc/kubernetes/manifests/etcd.manifest" 136 | else 137 | file="/etc/kubernetes/manifests/etcd.yaml" 138 | fi 139 | if [ -f $file ]; then 140 | if [ "$(stat -L -c %a $file)" -eq 644 -o "$(stat -L -c %a $file)" -eq 640 -o "$(stat -L -c %a $file)" -eq 600 ]; then 141 | pass "$check_1_4_7" 142 | else 143 | warn "$check_1_4_7" 144 | warn " * Wrong permissions for $file" 145 | fi 146 | else 147 | info "$check_1_4_7" 148 | info " * File not found" 149 | fi 150 | 151 | check_1_4_8="1.4.8 - Ensure that the etcd pod specification file ownership is set to root:root" 152 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 153 | file="/etc/kubernetes/manifests/etcd.json" 154 | elif [ -f "/etc/kubernetes/manifests/etcd.manifest" ]; then 155 | # kops 156 | file="/etc/kubernetes/manifests/etcd.manifest" 157 | else 158 | file="/etc/kubernetes/manifests/etcd.yaml" 159 | fi 160 | if [ -f $file ]; then 161 | if [ "$(stat -c %U:%G $file)" = "root:root" ]; then 162 | pass "$check_1_4_8" 163 | else 164 | warn "$check_1_4_8" 165 | owner=$(stat -c %U:%G $directory) 166 | warn " * Wrong ownership for $file:$owner" 167 | fi 168 | else 169 | info "$check_1_4_8" 170 | fi 171 | 172 | #TODO 173 | check_1_4_9="1.4.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive" 174 | check_1_4_10="1.4.10 - Ensure that the Container Network Interface file ownership is set to root:root" 175 | check_1_4_11="1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive" 176 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 177 | if [ -d "$directory" ]; then 178 | if [ "$(stat -c %a $directory)" -eq 700 ]; then 179 | pass "$check_1_4_11" 180 | else 181 | warn "$check_1_4_11" 182 | perm=$(stat -c %a $directory) 183 | warn " * Wrong permissions for $directory:$perm" 184 | fi 185 | else 186 | warn "$check_1_4_11" 187 | warn " * Directory not found:$directory" 188 | fi 189 | 190 | check_1_4_12="1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd" 191 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 192 | if [ -d "$directory" ]; then 193 | if [ "$(stat -c %U:%G $directory)" = "etcd:etcd" ]; then 194 | pass "$check_1_4_12" 195 | else 196 | warn "$check_1_4_12" 197 | owner=$(stat -c %U:%G $directory) 198 | warn " * Wrong ownership for $directory:$owner" 199 | fi 200 | else 201 | warn "$check_1_4_12" 202 | warn " * Directory not found:$directory" 203 | fi 204 | 205 | check_1_4_13="1.4.13 - Ensure that the admin.conf file permissions are set to 644 or more restrictive" 206 | file="/etc/kubernetes/admin.conf" 207 | if [ -f $file ]; then 208 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 209 | pass "$check_1_4_13" 210 | else 211 | warn "$check_1_4_13" 212 | perm=$(stat -c %a $file) 213 | warn " * Wrong permissions for $file:$perm" 214 | fi 215 | else 216 | warn "$check_1_4_13" 217 | warn " * File not found:$file" 218 | fi 219 | 220 | check_1_4_14="1.4.14 - Ensure that the admin.conf file ownership is set to root:root" 221 | file="/etc/kubernetes/admin.conf" 222 | if [ -f $file ]; then 223 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 224 | pass "$check_1_4_14" 225 | else 226 | warn "$check_1_4_14" 227 | owner=$(stat -c %U:%G $file) 228 | warn " * Wrong ownership for $file:$owner" 229 | fi 230 | else 231 | warn "$check_1_4_14" 232 | warn " * File not found:$file" 233 | fi 234 | 235 | check_1_4_15="1.4.15 - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive" 236 | file="/etc/kubernetes/scheduler.conf" 237 | if [ -f $file ]; then 238 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 239 | pass "$check_1_4_15" 240 | else 241 | warn "$check_1_4_15" 242 | perm=$(stat -c %a $file) 243 | warn " * Wrong permissions for $file:$perm" 244 | fi 245 | else 246 | warn "$check_1_4_15" 247 | warn " * File not found:$file" 248 | fi 249 | 250 | check_1_4_16="1.4.16 - Ensure that the scheduler.conf file ownership is set to root:root" 251 | file="/etc/kubernetes/scheduler.conf" 252 | if [ -f $file ]; then 253 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 254 | pass "$check_1_4_16" 255 | else 256 | warn "$check_1_4_16" 257 | owner=$(stat -c %U:%G $file) 258 | warn " * Wrong ownership for $file:$owner" 259 | fi 260 | else 261 | warn "$check_1_4_16" 262 | warn " * File not found:$file" 263 | fi 264 | 265 | check_1_4_17="1.4.17 - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive" 266 | file="/etc/kubernetes/controller-manager.conf" 267 | if [ -f $file ]; then 268 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 269 | pass "$check_1_4_17" 270 | else 271 | warn "$check_1_4_17" 272 | perm=$(stat -c %a $file) 273 | warn " * Wrong permissions for $file:$perm" 274 | fi 275 | else 276 | warn "$check_1_4_17" 277 | warn " * File not found:$file" 278 | fi 279 | 280 | check_1_4_18="1.4.18 - Ensure that the controller-manager.conf file ownership is set to root:root" 281 | file="/etc/kubernetes/controller-manager.conf" 282 | if [ -f $file ]; then 283 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 284 | pass "$check_1_4_18" 285 | else 286 | warn "$check_1_4_18" 287 | owner=$(stat -c %U:%G $file) 288 | warn " * Wrong ownership for $file:$owner" 289 | fi 290 | else 291 | warn "$check_1_4_18" 292 | warn " * File not found:$file" 293 | fi 294 | -------------------------------------------------------------------------------- /1.2.0/master/master_5_etcd.sh: -------------------------------------------------------------------------------- 1 | info "1.5 - etcd" 2 | 3 | check_1_5_1="1.5.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" 4 | if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then 5 | if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then 6 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') 7 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') 8 | pass "$check_1_5_1" 9 | pass " * cert-file: $cfile" 10 | pass " * key-file: $kfile" 11 | else 12 | warn "$check_1_5_1" 13 | fi 14 | else 15 | warn "$check_1_5_1" 16 | fi 17 | 18 | check_1_5_2="1.5.2 - Ensure that the --client-cert-auth argument is set to true (Scored)" 19 | if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then 20 | pass "$check_1_5_2" 21 | else 22 | warn "$check_1_5_2" 23 | fi 24 | 25 | check_1_5_3="1.5.3 - Ensure that the --auto-tls argument is not set to true (Scored)" 26 | if check_argument "$CIS_ETCD_CMD" '--auto-tls=tru' >/dev/null 2>&1; then 27 | warn "$check_1_5_3" 28 | else 29 | pass "$check_1_5_3" 30 | fi 31 | 32 | check_1_5_4="1.5.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" 33 | if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then 34 | if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then 35 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') 36 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') 37 | pass "$check_1_5_4" 38 | pass " * peer-cert-file: $cfile" 39 | pass " * peer-key-file: $kfile" 40 | else 41 | warn "$check_1_5_4" 42 | fi 43 | else 44 | warn "$check_1_5_4" 45 | fi 46 | 47 | check_1_5_5="1.5.5 - Ensure that the --peer-client-cert-auth argument is set to true (Scored)" 48 | if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth' >/dev/null 2>&1; then 49 | pass "$check_1_5_5" 50 | else 51 | warn "$check_1_5_5" 52 | fi 53 | 54 | check_1_5_6="1.5.6 - Ensure that the --peer-auto-tls argument is not set to true (Scored)" 55 | if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then 56 | warn "$check_1_5_6" 57 | else 58 | pass "$check_1_5_6" 59 | fi 60 | 61 | check_1_5_7="1.5.7 - Ensure that the --wal-dir argument is set as appropriate (Scored)" 62 | if check_argument "$CIS_ETCD_CMD" '--wal-dir' >/dev/null 2>&1; then 63 | wdir=$(get_argument_value "$CIS_ETCD_CMD" '--wal-dir') 64 | pass "$check_1_5_7" 65 | pass " * wal-dir: $wdir" 66 | else 67 | warn "$check_1_5_7" 68 | fi 69 | 70 | check_1_5_8="1.5.8 - Ensure that the --max-wals argument is set to 0 (Scored)" 71 | if check_argument "$CIS_ETCD_CMD" '--max-wals=0' >/dev/null 2>&1; then 72 | pass "$check_1_5_8" 73 | else 74 | warn "$check_1_5_8" 75 | fi 76 | 77 | #TODO 78 | check_1_5_9="1.5.9 - Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 79 | -------------------------------------------------------------------------------- /1.2.0/master/master_6_general_security_primitives.sh: -------------------------------------------------------------------------------- 1 | info "1.6 - General Security Primitives" 2 | 3 | # Make the loop separator be a new-line in POSIX compliant fashion 4 | set -f; IFS=$' 5 | ' 6 | 7 | check_1_6_1="1.6.1 - Ensure that the cluster-admin role is only used where required(Not Scored)" 8 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 9 | info $check_1_6_1 10 | for admin in $cluster_admins; do 11 | info " * $admin" 12 | done 13 | 14 | check_1_6_2="1.6.2 - Create Pod Security Policies for your cluster (Not Scored)" 15 | policies=$(kubectl get psp) 16 | info $check_1_6_2 17 | for policy in $policies; do 18 | info " * $policy" 19 | done 20 | 21 | check_1_6_3="1.6.3 - Create administrative boundaries between resources using namespaces (Not Scored)" 22 | namespaces=$(kubectl get namespaces) 23 | info $check_1_6_3 24 | for namespace in $namespaces; do 25 | info " * $namespace" 26 | done 27 | 28 | check_1_6_4="1.6.4 - Create network segmentation using Network Policies (Not Scored)" 29 | policies=$(kubectl get pods --namespace=kube-system) 30 | info $check_1_6_4 31 | for policy in $policies; do 32 | info " * $policy" 33 | done 34 | 35 | check_1_6_5="1.6.5 - Avoid using Kubernetes Secrets (Not Scored)" 36 | secrets=$(kubectl get secrets) 37 | info $check_1_6_5 38 | for secret in $secrets; do 39 | info " * $secret" 40 | done 41 | 42 | #TODO 43 | check_1_6_6="1.6.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 44 | info $check_1_6_6 45 | check_1_6_7="1.6.7 - Apply Security Context to Your Pods and Containers (Not Scored)" 46 | info $check_1_6_7 47 | check_1_6_8="1.6.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 48 | info $check_1_6_8 49 | check_1_6_9="1.6.9 - Place compensating controls in the form of PSP and RBAC for privileged containers usage" 50 | info $check_1_6_9 51 | -------------------------------------------------------------------------------- /1.2.0/worker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ------------------------------------------------------------------------------ 3 | # Kubenetes CIS benchmark 1.6 4 | # 5 | # Neuvector, Inc. (c) 2016- 6 | # 7 | # ------------------------------------------------------------------------------ 8 | 9 | # Load dependencies 10 | . ./helper.sh 11 | 12 | # Check for required program(s) 13 | req_progs='grep' 14 | for p in $req_progs; do 15 | command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 16 | done 17 | 18 | # Load all the tests from worker/ and run them 19 | main () { 20 | for test in worker/worker_*.sh 21 | do 22 | . ./"$test" 23 | done 24 | } 25 | 26 | main "$@" 27 | -------------------------------------------------------------------------------- /1.2.0/worker/worker_1_kubelet.sh: -------------------------------------------------------------------------------- 1 | info "2.1 - Kubelet" 2 | 3 | check_2_1_1="2.1.1 - Ensure that the --allow-privileged argument is set to false" 4 | if check_argument "$CIS_KUBELET_CMD" '--allow-privileged=false' >/dev/null 2>&1; then 5 | pass "$check_2_1_1" 6 | else 7 | warn "$check_2_1_1" 8 | fi 9 | 10 | check_2_1_2="2.1.2 - Ensure that the --anonymous-auth argument is set to false" 11 | if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 12 | pass "$check_2_1_2" 13 | else 14 | warn "$check_2_1_2" 15 | fi 16 | 17 | check_2_1_3="2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow" 18 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 19 | warn "$check_2_1_3" 20 | else 21 | pass "$check_2_1_3" 22 | fi 23 | 24 | check_2_1_4="2.1.4 - Ensure that the --client-ca-file argument is set as appropriate" 25 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 26 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 27 | pass "$check_2_1_4" 28 | pass " * client-ca-file: $cafile" 29 | else 30 | warn "$check_2_1_4" 31 | fi 32 | 33 | check_2_1_5="2.1.5 - Ensure that the --read-only-port argument is set to 0" 34 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 35 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 36 | if [ $port = "0" ]; then 37 | pass "$check_2_1_5" 38 | else 39 | warn "$check_2_1_5" 40 | warn " * read-only-port: $port" 41 | fi 42 | else 43 | warn "$check_2_1_5" 44 | fi 45 | 46 | check_2_1_6="2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0" 47 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 48 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 49 | warn "$check_2_1_6" 50 | warn " * streaming-connection-idle-timeout: $timeout" 51 | else 52 | pass "$check_2_1_6" 53 | fi 54 | 55 | check_2_1_7="2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true" 56 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 57 | pass "$check_2_1_7" 58 | else 59 | warn "$check_2_1_7" 60 | fi 61 | 62 | check_2_1_8="2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true" 63 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 64 | pass "$check_2_1_8" 65 | else 66 | warn "$check_2_1_8" 67 | fi 68 | 69 | check_2_1_9="2.1.9 - Ensure that the --keep-terminated-pod-volumes argument is set to false" 70 | if check_argument "$CIS_KUBELET_CMD" '--keep-terminated-pod-volumes=false' >/dev/null 2>&1; then 71 | pass "$check_2_1_9" 72 | else 73 | warn "$check_2_1_9" 74 | fi 75 | 76 | check_2_1_10="2.1.10 - Ensure that the --hostname-override argument is not set" 77 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 78 | warn "$check_2_1_10" 79 | else 80 | pass "$check_2_1_10" 81 | fi 82 | 83 | check_2_1_11="2.1.11 - Ensure that the --event-qps argument is set to 0" 84 | if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then 85 | event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) 86 | if [ $event = "0" ]; then 87 | pass "$check_2_1_11" 88 | else 89 | warn "$check_2_1_11" 90 | warn " * event-qps: $event" 91 | fi 92 | else 93 | warn "$check_2_1_11" 94 | fi 95 | 96 | check_2_1_12="2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate" 97 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 98 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 99 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 100 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 101 | pass "$check_2_1_12" 102 | pass " * tls-cert-file: $cfile" 103 | pass " * tls-private-key-file: $kfile" 104 | else 105 | warn "$check_2_1_12" 106 | fi 107 | else 108 | warn "$check_2_1_12" 109 | fi 110 | 111 | check_2_1_13="2.1.13 - Ensure that the --cadvisor-port argument is set to 0" 112 | if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then 113 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) 114 | if [ $port = "0" ]; then 115 | pass "$check_2_1_13" 116 | else 117 | warn "$check_2_1_13" 118 | warn " * cadvisor-port: $port" 119 | fi 120 | else 121 | warn "$check_2_1_13" 122 | fi 123 | 124 | -------------------------------------------------------------------------------- /1.2.0/worker/worker_2_configure_files.sh: -------------------------------------------------------------------------------- 1 | info "2.2 - Configuration Files" 2 | 3 | check_2_2_1="2.2.1 - Ensure that the config file permissions are set to 644 or more restrictive" 4 | if [ -f "/etc/kubernetes/config" ]; then 5 | file="/etc/kubernetes/config" 6 | elif [ -f "/var/lib/kubelet/kubeconfig" ]; then 7 | # kops 8 | file="/var/lib/kubelet/kubeconfig" 9 | else 10 | file="/etc/kubernetes/kubelet.conf" 11 | fi 12 | 13 | if [ -f "$file" ]; then 14 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 15 | pass "$check_2_2_1" 16 | else 17 | warn "$check_2_2_1" 18 | warn " * Wrong permissions for $file" 19 | fi 20 | else 21 | info "$check_2_2_1" 22 | info " * File not found" 23 | fi 24 | 25 | check_2_2_2="2.2.2 - Ensure that the config file ownership is set to root:root" 26 | if [ -f "$file" ]; then 27 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 28 | pass "$check_2_2_2" 29 | else 30 | warn "$check_2_2_2" 31 | warn " * Wrong ownership for $file" 32 | fi 33 | else 34 | info "$check_2_2_2" 35 | fi 36 | 37 | check_2_2_3="2.2.3 - Ensure that the kubelet file permissions are set to 644 or more restrictive" 38 | if [ -f "/etc/kubernetes/kubelet" ]; then 39 | file="/etc/kubernetes/kubelet" 40 | elif [ -f "/etc/sysconfig/kubelet" ]; then 41 | # kops 42 | file="/etc/sysconfig/kubelet" 43 | else 44 | file="/etc/kubernetes/kubelet.conf" 45 | fi 46 | 47 | if [ -f "$file" ]; then 48 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 49 | pass "$check_2_2_3" 50 | else 51 | warn "$check_2_2_3" 52 | warn " * Wrong permissions for $file" 53 | fi 54 | else 55 | info "$check_2_2_3" 56 | info " * File not found" 57 | fi 58 | 59 | check_2_2_4="2.2.4 - Ensure that the kubelet file ownership is set to root:root" 60 | if [ -f "$file" ]; then 61 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 62 | pass "$check_2_2_4" 63 | else 64 | warn "$check_2_2_4" 65 | warn " * Wrong ownership for $file" 66 | fi 67 | else 68 | info "$check_2_2_4" 69 | fi 70 | 71 | check_2_2_5="2.2.5 - Ensure that the proxy file permissions are set to 644 or more restrictive" 72 | if [ -f "/var/lib/kube-proxy/kubeconfig" ]; then 73 | # kops 74 | file="/var/lib/kube-proxy/kubeconfig" 75 | else 76 | file="/etc/kubernetes/proxy" 77 | fi 78 | 79 | if [ -f "$file" ]; then 80 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 81 | pass "$check_2_2_5" 82 | else 83 | warn "$check_2_2_5" 84 | warn " * Wrong permissions for $file" 85 | fi 86 | else 87 | info "$check_2_2_5" 88 | info " * File not found" 89 | fi 90 | 91 | check_2_2_6="2.2.6 - Ensure that the proxy file ownership is set to root:root" 92 | if [ -f "$file" ]; then 93 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 94 | pass "$check_2_2_6" 95 | else 96 | warn "$check_2_2_6" 97 | warn " * Wrong ownership for $file" 98 | fi 99 | else 100 | info "$check_2_2_6" 101 | fi 102 | 103 | check_2_2_7="2.2.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive" 104 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 105 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 106 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 107 | pass "$check_2_2_7" 108 | pass " * client-ca-file: $file" 109 | else 110 | warn "$check_2_2_7" 111 | warn " * Wrong permissions for $file" 112 | fi 113 | else 114 | info "$check_2_2_7" 115 | info " * --client-ca-file not set" 116 | fi 117 | 118 | check_2_2_8="2.2.8 - Ensure that the client certificate authorities file ownership is set to root:root" 119 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 120 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 121 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 122 | pass "$check_2_2_8" 123 | pass " * client-ca-file: $file" 124 | else 125 | warn "$check_2_2_8" 126 | warn " * Wrong ownership for $file" 127 | fi 128 | else 129 | info "$check_2_2_8" 130 | info " * --client-ca-file not set" 131 | fi 132 | -------------------------------------------------------------------------------- /1.4.1/master/master_2_scheduler.sh: -------------------------------------------------------------------------------- 1 | info "1.2 - Scheduler" 2 | 3 | check_1_2_1="1.2.1 - Ensure that the --profiling argument is set to false (Scored)" 4 | if check_argument "$CIS_SCHEDULER_CMD" '--profiling=false' >/dev/null 2>&1; then 5 | pass "$check_1_2_1" 6 | else 7 | warn "$check_1_2_1" 8 | fi 9 | 10 | check_1_2_2="1.2.2 - Ensure that the --address argument is set to 127.0.0.1 (Scored)" 11 | if get_argument_value "$CIS_SCHEDULER_CMD" '--address'| grep '127.0.0.1' >/dev/null 2>&1; then 12 | pass "$check_1_2_2" 13 | else 14 | warn "$check_1_2_2" 15 | fi 16 | -------------------------------------------------------------------------------- /1.4.1/master/master_3_contoller_manager.sh: -------------------------------------------------------------------------------- 1 | info "1.3 - Controller Manager" 2 | 3 | check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" 4 | # Filter out processes like "/bin/tee -a /var/log/kube-controller-manager.log" 5 | # which exist on kops-managed clusters. 6 | if check_argument "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold' >/dev/null 2>&1; then 7 | threshold=$(get_argument_value "$CIS_MANAGER_CMD" '--terminated-pod-gc-threshold') 8 | pass "$check_1_3_1" 9 | pass " * terminated-pod-gc-threshold: $threshold" 10 | else 11 | warn "$check_1_3_1" 12 | fi 13 | 14 | check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false (Scored)" 15 | if check_argument "$CIS_MANAGER_CMD" '--profiling=false' >/dev/null 2>&1; then 16 | pass "$check_1_3_2" 17 | else 18 | warn "$check_1_3_2" 19 | fi 20 | 21 | check_1_3_3="1.3.3 - Ensure that the --use-service-account-credentials argument is set to true (Scored)" 22 | if check_argument "$CIS_MANAGER_CMD" '--use-service-account-credentials' >/dev/null 2>&1; then 23 | pass "$check_1_3_3" 24 | else 25 | warn "$check_1_3_3" 26 | fi 27 | 28 | check_1_3_4="1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" 29 | if check_argument "$CIS_MANAGER_CMD" '--service-account-private-key-file' >/dev/null 2>&1; then 30 | keyfile=$(get_argument_value "$CIS_MANAGER_CMD" '--service-account-private-key-file') 31 | pass "$check_1_3_4" 32 | pass " * service-account-private-key-file: $keyfile" 33 | else 34 | warn "$check_1_3_4" 35 | fi 36 | 37 | check_1_3_5="1.3.5 - Ensure that the --root-ca-file argument is set as appropriate (Scored)" 38 | if check_argument "$CIS_MANAGER_CMD" '--root-ca-file' >/dev/null 2>&1; then 39 | cafile=$(get_argument_value "$CIS_MANAGER_CMD" '--root-ca-file') 40 | pass "$check_1_3_5" 41 | pass " * root-ca-file: $cafile" 42 | else 43 | warn "$check_1_3_5" 44 | fi 45 | 46 | check_1_3_6="1.3.6 - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 47 | if check_argument "$CIS_MANAGER_CMD" '--feature-gates' >/dev/null 2>&1; then 48 | serverCert=$(get_argument_value "$CIS_MANAGER_CMD" '--feature-gates') 49 | found=$(echo $serverCert| grep 'RotateKubeletServerCertificate=true') 50 | if [ ! -z $found ]; then 51 | pass "$check_1_3_6" 52 | else 53 | warn "$check_1_3_6" 54 | fi 55 | else 56 | warn "$check_1_3_6" 57 | fi 58 | 59 | check_1_3_7="1.3.7 - Ensure that the --address argument is set to 127.0.0.1 (Scored)" 60 | if get_argument_value "$CIS_MANAGER_CMD" '--address'| grep '127.0.0.1' >/dev/null 2>&1; then 61 | pass "$check_1_3_7" 62 | else 63 | warn "$check_1_3_7" 64 | fi 65 | -------------------------------------------------------------------------------- /1.4.1/master/master_4_configuration_files.sh: -------------------------------------------------------------------------------- 1 | info "1.4 - Configuration Files" 2 | 3 | check_1_4_1="1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored)" 4 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 5 | file="/etc/kubernetes/manifests/kube-apiserver.json" 6 | elif [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then 7 | # kops 8 | file="/etc/kubernetes/manifests/kube-apiserver.manifest" 9 | else 10 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 11 | fi 12 | if [ -f $file ]; then 13 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 14 | pass "$check_1_4_1" 15 | else 16 | warn "$check_1_4_1" 17 | warn " * Wrong permissions for $file" 18 | fi 19 | else 20 | info "$check_1_4_1" 21 | info " * File not found" 22 | fi 23 | 24 | check_1_4_2="1.4.2 - Ensure that the API server pod specification file ownership is set to root:root (Scored)" 25 | if [ -f "/etc/kubernetes/manifests/kube-apiserver.json" ]; then 26 | file="/etc/kubernetes/manifests/kube-apiserver.json" 27 | elif [ -f "/etc/kubernetes/manifests/kube-apiserver.manifest" ]; then 28 | # kops 29 | file="/etc/kubernetes/manifests/kube-apiserver.manifest" 30 | else 31 | file="/etc/kubernetes/manifests/kube-apiserver.yaml" 32 | fi 33 | if [ -f $file ]; then 34 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 35 | pass "$check_1_4_2" 36 | else 37 | warn "$check_1_4_2" 38 | warn " * Wrong ownership for $file" 39 | fi 40 | else 41 | info "$check_1_4_2" 42 | fi 43 | 44 | check_1_4_3="1.4.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored)" 45 | if [ -f "/etc/kubernetes/manifests/kube-controller-manager.json" ]; then 46 | file="/etc/kubernetes/manifests/kube-controller-manager.json" 47 | elif [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then 48 | # kops 49 | file="/etc/kubernetes/manifests/kube-controller-manager.manifest" 50 | else 51 | file="/etc/kubernetes/manifests/kube-controller-manager.yaml" 52 | fi 53 | if [ -f $file ]; then 54 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 55 | pass "$check_1_4_3" 56 | else 57 | warn "$check_1_4_3" 58 | warn " * Wrong permissions for $file" 59 | fi 60 | else 61 | info "$check_1_4_3" 62 | info " * File not found" 63 | fi 64 | 65 | check_1_4_4="1.4.4 - Ensure that the controller manager pod specification file ownership is set to root:root (Scored)" 66 | if [ -f "/etc/kubernetes/manifests/kube-controller-manager.json" ]; then 67 | file="/etc/kubernetes/manifests/kube-controller-manager.json" 68 | elif [ -f "/etc/kubernetes/manifests/kube-controller-manager.manifest" ]; then 69 | # kops 70 | file="/etc/kubernetes/manifests/kube-controller-manager.manifest" 71 | else 72 | file="/etc/kubernetes/manifests/kube-controller-manager.yaml" 73 | fi 74 | if [ -f $file ]; then 75 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 76 | pass "$check_1_4_4" 77 | else 78 | warn "$check_1_4_4" 79 | warn " * Wrong ownership for $file" 80 | fi 81 | else 82 | info "$check_1_4_4" 83 | info " * File not found" 84 | fi 85 | 86 | check_1_4_5="1.4.5 - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored)" 87 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 88 | file="/etc/kubernetes/manifests/kube-scheduler.json" 89 | elif [ -f "/etc/kubernetes/manifests/kube-scheduler.manifest" ]; then 90 | # kops 91 | file="/etc/kubernetes/manifests/kube-scheduler.manifest" 92 | else 93 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 94 | fi 95 | if [ -f $file ]; then 96 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 97 | pass "$check_1_4_5" 98 | else 99 | warn "$check_1_4_5" 100 | warn " * Wrong permissions for $file" 101 | fi 102 | else 103 | info "$check_1_4_5" 104 | info " * File not found" 105 | fi 106 | 107 | check_1_4_6="1.4.6 - Ensure that the scheduler pod specification file ownership is set to root:root (Scored)" 108 | if [ -f "/etc/kubernetes/manifests/kube-scheduler.json" ]; then 109 | file="/etc/kubernetes/manifests/kube-scheduler.json" 110 | elif [ -f "/etc/kubernetes/manifests/kube-scheduler.manifest" ]; then 111 | # kops 112 | file="/etc/kubernetes/manifests/kube-scheduler.manifest" 113 | else 114 | file="/etc/kubernetes/manifests/kube-scheduler.yaml" 115 | fi 116 | if [ -f $file ]; then 117 | if [ "$(stat -c %U:%G $file)" = "root:root" ]; then 118 | pass "$check_1_4_6" 119 | else 120 | warn "$check_1_4_6" 121 | owner=$(stat -c %U:%G $file) 122 | warn " * Wrong ownership for $file:$owner" 123 | fi 124 | else 125 | info "$check_1_4_6" 126 | info " * File not found" 127 | fi 128 | 129 | check_1_4_7="1.4.7 - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Scored)" 130 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 131 | file="/etc/kubernetes/manifests/etcd.json" 132 | elif [ -f "/etc/kubernetes/manifests/etcd.manifest" ]; then 133 | # kops 134 | # Also this file is a symlink, hence 'stat -L' below. 135 | file="/etc/kubernetes/manifests/etcd.manifest" 136 | else 137 | file="/etc/kubernetes/manifests/etcd.yaml" 138 | fi 139 | if [ -f $file ]; then 140 | if [ "$(stat -L -c %a $file)" -eq 644 -o "$(stat -L -c %a $file)" -eq 640 -o "$(stat -L -c %a $file)" -eq 600 ]; then 141 | pass "$check_1_4_7" 142 | else 143 | warn "$check_1_4_7" 144 | warn " * Wrong permissions for $file" 145 | fi 146 | else 147 | info "$check_1_4_7" 148 | info " * File not found" 149 | fi 150 | 151 | check_1_4_8="1.4.8 - Ensure that the etcd pod specification file ownership is set to root:root (Scored)" 152 | if [ -f "/etc/kubernetes/manifests/etcd.json" ]; then 153 | file="/etc/kubernetes/manifests/etcd.json" 154 | elif [ -f "/etc/kubernetes/manifests/etcd.manifest" ]; then 155 | # kops 156 | file="/etc/kubernetes/manifests/etcd.manifest" 157 | else 158 | file="/etc/kubernetes/manifests/etcd.yaml" 159 | fi 160 | if [ -f $file ]; then 161 | if [ "$(stat -c %U:%G $file)" = "root:root" ]; then 162 | pass "$check_1_4_8" 163 | else 164 | warn "$check_1_4_8" 165 | owner=$(stat -c %U:%G $directory) 166 | warn " * Wrong ownership for $file:$owner" 167 | fi 168 | else 169 | info "$check_1_4_8" 170 | fi 171 | 172 | #TODO 173 | check_1_4_9="1.4.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" 174 | info "$check_1_4_9" 175 | 176 | check_1_4_10="1.4.10 - Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" 177 | info "$check_1_4_10" 178 | 179 | check_1_4_11="1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" 180 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 181 | if [ -d "$directory" ]; then 182 | if [ "$(stat -c %a $directory)" -eq 700 ]; then 183 | pass "$check_1_4_11" 184 | else 185 | warn "$check_1_4_11" 186 | perm=$(stat -c %a $directory) 187 | warn " * Wrong permissions for $directory:$perm" 188 | fi 189 | else 190 | warn "$check_1_4_11" 191 | warn " * Directory not found:$directory" 192 | fi 193 | 194 | check_1_4_12="1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)" 195 | directory=$(get_argument_value "$CIS_ETCD_CMD" '--data-dir') 196 | if [ -d "$directory" ]; then 197 | if [ "$(stat -c %U:%G $directory)" = "etcd:etcd" ]; then 198 | pass "$check_1_4_12" 199 | else 200 | warn "$check_1_4_12" 201 | owner=$(stat -c %U:%G $directory) 202 | warn " * Wrong ownership for $directory:$owner" 203 | fi 204 | else 205 | warn "$check_1_4_12" 206 | warn " * Directory not found:$directory" 207 | fi 208 | 209 | check_1_4_13="1.4.13 - Ensure that the admin.conf file permissions are set to 644 or more restrictive (Scored)" 210 | file="/etc/kubernetes/admin.conf" 211 | if [ -f $file ]; then 212 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 213 | pass "$check_1_4_13" 214 | else 215 | warn "$check_1_4_13" 216 | perm=$(stat -c %a $file) 217 | warn " * Wrong permissions for $file:$perm" 218 | fi 219 | else 220 | warn "$check_1_4_13" 221 | warn " * File not found:$file" 222 | fi 223 | 224 | check_1_4_14="1.4.14 - Ensure that the admin.conf file ownership is set to root:root (Scored)" 225 | file="/etc/kubernetes/admin.conf" 226 | if [ -f $file ]; then 227 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 228 | pass "$check_1_4_14" 229 | else 230 | warn "$check_1_4_14" 231 | owner=$(stat -c %U:%G $file) 232 | warn " * Wrong ownership for $file:$owner" 233 | fi 234 | else 235 | warn "$check_1_4_14" 236 | warn " * File not found:$file" 237 | fi 238 | 239 | check_1_4_15="1.4.15 - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Scored)" 240 | file="/etc/kubernetes/scheduler.conf" 241 | if [ -f $file ]; then 242 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 243 | pass "$check_1_4_15" 244 | else 245 | warn "$check_1_4_15" 246 | perm=$(stat -c %a $file) 247 | warn " * Wrong permissions for $file:$perm" 248 | fi 249 | else 250 | warn "$check_1_4_15" 251 | warn " * File not found:$file" 252 | fi 253 | 254 | check_1_4_16="1.4.16 - Ensure that the scheduler.conf file ownership is set to root:root (Scored)" 255 | file="/etc/kubernetes/scheduler.conf" 256 | if [ -f $file ]; then 257 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 258 | pass "$check_1_4_16" 259 | else 260 | warn "$check_1_4_16" 261 | owner=$(stat -c %U:%G $file) 262 | warn " * Wrong ownership for $file:$owner" 263 | fi 264 | else 265 | warn "$check_1_4_16" 266 | warn " * File not found:$file" 267 | fi 268 | 269 | check_1_4_17="1.4.17 - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)" 270 | file="/etc/kubernetes/controller-manager.conf" 271 | if [ -f $file ]; then 272 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then 273 | pass "$check_1_4_17" 274 | else 275 | warn "$check_1_4_17" 276 | perm=$(stat -c %a $file) 277 | warn " * Wrong permissions for $file:$perm" 278 | fi 279 | else 280 | warn "$check_1_4_17" 281 | warn " * File not found:$file" 282 | fi 283 | 284 | check_1_4_18="1.4.18 - Ensure that the controller-manager.conf file ownership is set to root:root (Scored)" 285 | file="/etc/kubernetes/controller-manager.conf" 286 | if [ -f $file ]; then 287 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 288 | pass "$check_1_4_18" 289 | else 290 | warn "$check_1_4_18" 291 | owner=$(stat -c %U:%G $file) 292 | warn " * Wrong ownership for $file:$owner" 293 | fi 294 | else 295 | warn "$check_1_4_18" 296 | warn " * File not found:$file" 297 | fi 298 | 299 | check_1_4_19="1.4.19 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)" 300 | file="/etc/kubernetes/pki/" 301 | files=$(find $file) 302 | pass=true 303 | for f in ${files}; do 304 | if [ "$(stat -c %u%g $f)" != 00 ]; then 305 | pass=false; 306 | break; 307 | fi 308 | done 309 | 310 | if [ "$pass" = "true" ]; then 311 | pass "$check_1_4_19" 312 | else 313 | warn "$check_1_4_19" 314 | fi 315 | 316 | check_1_4_20="1.4.20 - Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)" 317 | files=$(find $file -name "*.crt") 318 | pass=true 319 | for f in ${files}; do 320 | if ! [ "$(stat -c %a $f)" -eq 644 -o "$(stat -c %a $f)" -eq 600 -o "$(stat -c %a $f)" -eq 400 ]; then 321 | pass=false; 322 | break; 323 | fi 324 | done 325 | 326 | if [ "$pass" = "true" ]; then 327 | pass "$check_1_4_20" 328 | else 329 | warn "$check_1_4_20" 330 | fi 331 | 332 | check_1_4_21="1.4.21 - Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)" 333 | files=$(find $file -name "*.key") 334 | pass=true 335 | for f in ${files}; do 336 | if ! [ "$(stat -c %a $f)" -eq 600 ]; then 337 | pass=false; 338 | break; 339 | fi 340 | done 341 | 342 | if [ "$pass" = "true" ]; then 343 | pass "$check_1_4_21" 344 | else 345 | warn "$check_1_4_21" 346 | fi 347 | -------------------------------------------------------------------------------- /1.4.1/master/master_5_etcd.sh: -------------------------------------------------------------------------------- 1 | info "1.5 - etcd" 2 | 3 | check_1_5_1="1.5.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" 4 | if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then 5 | if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then 6 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') 7 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') 8 | pass "$check_1_5_1" 9 | pass " * cert-file: $cfile" 10 | pass " * key-file: $kfile" 11 | else 12 | warn "$check_1_5_1" 13 | fi 14 | else 15 | warn "$check_1_5_1" 16 | fi 17 | 18 | check_1_5_2="1.5.2 - Ensure that the --client-cert-auth argument is set to true (Scored)" 19 | if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then 20 | pass "$check_1_5_2" 21 | else 22 | warn "$check_1_5_2" 23 | fi 24 | 25 | check_1_5_3="1.5.3 - Ensure that the --auto-tls argument is not set to true (Scored)" 26 | if check_argument "$CIS_ETCD_CMD" '--auto-tls=true' >/dev/null 2>&1; then 27 | warn "$check_1_5_3" 28 | else 29 | pass "$check_1_5_3" 30 | fi 31 | 32 | check_1_5_4="1.5.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" 33 | if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then 34 | if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then 35 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') 36 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') 37 | pass "$check_1_5_4" 38 | pass " * peer-cert-file: $cfile" 39 | pass " * peer-key-file: $kfile" 40 | else 41 | warn "$check_1_5_4" 42 | fi 43 | else 44 | warn "$check_1_5_4" 45 | fi 46 | 47 | check_1_5_5="1.5.5 - Ensure that the --peer-client-cert-auth argument is set to true (Scored)" 48 | if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth' >/dev/null 2>&1; then 49 | pass "$check_1_5_5" 50 | else 51 | warn "$check_1_5_5" 52 | fi 53 | 54 | check_1_5_6="1.5.6 - Ensure that the --peer-auto-tls argument is not set to true (Scored)" 55 | if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then 56 | warn "$check_1_5_6" 57 | else 58 | pass "$check_1_5_6" 59 | fi 60 | 61 | check_1_5_7="1.5.7 - Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 62 | if check_argument "$CIS_ETCD_CMD" '--trusted-ca-file' >/dev/null 2>&1; then 63 | if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then 64 | tfile=$(get_argument_value "$CIS_ETCD_CMD" '--trusted-ca-file') 65 | cfile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') 66 | if [ "$tfile" = "$cfile" ]; then 67 | pass "$check_1_5_7" 68 | pass " * trusted-ca-file: $tfile" 69 | pass " * client-ca-file: $cfile" 70 | else 71 | warn "$check_1_5_7" 72 | fi 73 | else 74 | warn "$check_1_5_7" 75 | warn " * client-ca-file doesn't exist" 76 | fi 77 | else 78 | warn "$check_1_5_7" 79 | warn " * trusted-ca-file doesn't exist" 80 | fi 81 | -------------------------------------------------------------------------------- /1.4.1/master/master_6_general_security_primitives.sh: -------------------------------------------------------------------------------- 1 | info "1.6 - General Security Primitives" 2 | 3 | # Make the loop separator be a new-line in POSIX compliant fashion 4 | set -f; IFS=$' 5 | ' 6 | check_1_6_1="1.6.1 - Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)" 7 | info "$check_1_6_1" 8 | 9 | check_1_6_2="1.6.2 - Ensure that the cluster-admin role is only used where required(Not Scored)" 10 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 11 | info $check_1_6_2 12 | for admin in $cluster_admins; do 13 | info " * $admin" 14 | done 15 | 16 | check_1_6_3="1.6.3 - Create administrative boundaries between resources using namespaces (Not Scored)" 17 | namespaces=$(kubectl get namespaces) 18 | info $check_1_6_3 19 | for namespace in $namespaces; do 20 | info " * $namespace" 21 | done 22 | 23 | check_1_6_4="1.6.4 - Create network segmentation using Network Policies (Not Scored)" 24 | policies=$(kubectl get pods --namespace=kube-system) 25 | info $check_1_6_4 26 | for policy in $policies; do 27 | info " * $policy" 28 | done 29 | 30 | check_1_6_5="1.6.5 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 31 | info "$check_1_6_5" 32 | 33 | check_1_6_6="1.6.6 - Apply Security Context to Your Pods and Containers (Not Scored)" 34 | info $check_1_6_6 35 | check_1_6_7="1.6.7 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 36 | info $check_1_6_7 37 | check_1_6_8="1.6.8 - Configure Network policies as appropriate (Not Scored)" 38 | info $check_1_6_8 39 | 40 | -------------------------------------------------------------------------------- /1.4.1/master/master_7_podSecurityPolicies.sh: -------------------------------------------------------------------------------- 1 | check_1_7_1="1.7.1 - Do not admit privileged containers (Not Scored)" 2 | names=$(kubectl get psp 2>/dev/null | sed 1,1d | cut -d " " -f 1) 3 | result="" 4 | for name in $names; do 5 | result=$(kubectl get psp $name -o=jsonpath='{.spec.privileged}'|grep true) 6 | if [ -z "$result" ]; then 7 | break; 8 | fi 9 | done 10 | if [ -z "$result" ]; then 11 | pass "$check_1_7_1" 12 | else 13 | warn "$check_1_7_1" 14 | fi 15 | 16 | check_1_7_2="1.7.2 - Do not admit containers wishing to share the host process ID namespace (Scored)" 17 | result="" 18 | for name in $names; do 19 | result=$(kubectl get psp $name -o=jsonpath='{.spec.hostPID}'|grep true) 20 | if [ -z "$result" ]; then 21 | break; 22 | fi 23 | done 24 | if [ -z "$result" ]; then 25 | pass "$check_1_7_2" 26 | else 27 | warn "$check_1_7_2" 28 | fi 29 | 30 | check_1_7_3="1.7.3 - Do not admit containers wishing to share the host IPC namespace (Scored)" 31 | result="" 32 | for name in $names; do 33 | result=$(kubectl get psp $name -o=jsonpath='{.spec.hostIPC}'|grep true) 34 | if [ -z "$result" ]; then 35 | break; 36 | fi 37 | done 38 | if [ -z "$result" ]; then 39 | pass "$check_1_7_3" 40 | else 41 | warn "$check_1_7_3" 42 | fi 43 | 44 | check_1_7_4="1.7.4 - Do not admit containers wishing to share the host network namespace (Scored)" 45 | result="" 46 | for name in $names; do 47 | result=$(kubectl get psp $name -o=jsonpath='{.spec.hostNetwork}'|grep true) 48 | if [ -z "$result" ]; then 49 | break; 50 | fi 51 | done 52 | if [ -z "$result" ]; then 53 | pass "$check_1_7_4" 54 | else 55 | warn "$check_1_7_4" 56 | fi 57 | 58 | check_1_7_5="1.7.5 - Do not admit containers with allowPrivilegeEscalation (Scored)" 59 | result="" 60 | for name in $names; do 61 | result=$(kubectl get psp $name -o=jsonpath='{.spec.allowPrivilegeEscalation}'|grep true) 62 | if [ -z "$result" ]; then 63 | break; 64 | fi 65 | done 66 | if [ -z "$result" ]; then 67 | pass "$check_1_7_5" 68 | else 69 | warn "$check_1_7_5" 70 | fi 71 | 72 | check_1_7_6="1.7.6 - Do not admit root containers (Not Scored)" 73 | result="" 74 | for name in $names; do 75 | result=$(kubectl get psp $name -o=jsonpath='{.spec.runAsUser.rule}' | grep -v -E '(\<0\>)|(MustRunAsNonRoot)') 76 | if [ -z "$result" ]; then 77 | break; 78 | fi 79 | done 80 | if [ -z "$result" ]; then 81 | pass "$check_1_7_6" 82 | else 83 | warn "$check_1_7_6" 84 | fi 85 | 86 | check_1_7_7="1.7.7 - Do not admit containers with dangerous capabilities (Not Scored)" 87 | result="" 88 | for name in $names; do 89 | result=$(kubectl get psp $name -o=jsonpath='{.spec.allowPrivilegeEscalation}'|grep true) 90 | if [ -z "$result" ]; then 91 | break; 92 | fi 93 | done 94 | if [ -z "$result" ]; then 95 | pass "$check_1_7_7" 96 | else 97 | warn "$check_1_7_7" 98 | fi 99 | 100 | -------------------------------------------------------------------------------- /1.4.1/worker/worker_1_kubelet.sh: -------------------------------------------------------------------------------- 1 | info "2.1 - Kubelet" 2 | 3 | check_2_1_1="2.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored)" 4 | if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 5 | pass "$check_2_1_1" 6 | else 7 | warn "$check_2_1_1" 8 | fi 9 | 10 | check_2_1_2="2.1.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 11 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 12 | warn "$check_2_1_2" 13 | else 14 | pass "$check_2_1_2" 15 | fi 16 | 17 | check_2_1_3="2.1.3 - Ensure that the --client-ca-file argument is set as appropriate (Scored)" 18 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 19 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 20 | pass "$check_2_1_3" 21 | pass " * client-ca-file: $cafile" 22 | else 23 | warn "$check_2_1_3" 24 | fi 25 | 26 | check_2_1_4="2.1.4 - Ensure that the --read-only-port argument is set to 0 (Scored)" 27 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 28 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 29 | if [ $port = "0" ]; then 30 | pass "$check_2_1_4" 31 | else 32 | warn "$check_2_1_4" 33 | warn " * read-only-port: $port" 34 | fi 35 | else 36 | warn "$check_2_1_4" 37 | fi 38 | 39 | check_2_1_5="2.1.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" 40 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 41 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 42 | warn "$check_2_1_5" 43 | warn " * streaming-connection-idle-timeout: $timeout" 44 | else 45 | pass "$check_2_1_5" 46 | fi 47 | 48 | check_2_1_6="2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored)" 49 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 50 | pass "$check_2_1_6" 51 | else 52 | warn "$check_2_1_6" 53 | fi 54 | 55 | check_2_1_7="2.1.7 - Ensure that the --make-iptables-util-chains argument is set to true (Scored)" 56 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 57 | pass "$check_2_1_7" 58 | else 59 | warn "$check_2_1_7" 60 | fi 61 | 62 | check_2_1_8="2.1.8 - Ensure that the --hostname-override argument is not set (Scored)" 63 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 64 | warn "$check_2_1_8" 65 | else 66 | pass "$check_2_1_8" 67 | fi 68 | 69 | check_2_1_9="2.1.9 - Ensure that the --event-qps argument is set to 0 (Scored)" 70 | if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then 71 | event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) 72 | if [ $event = "0" ]; then 73 | pass "$check_2_1_9" 74 | else 75 | warn "$check_2_1_9" 76 | warn " * event-qps: $event" 77 | fi 78 | else 79 | warn "$check_2_1_9" 80 | fi 81 | 82 | check_2_1_10="2.1.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 83 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 84 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 85 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 86 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 87 | pass "$check_2_1_10" 88 | pass " * tls-cert-file: $cfile" 89 | pass " * tls-private-key-file: $kfile" 90 | else 91 | warn "$check_2_1_10" 92 | fi 93 | else 94 | warn "$check_2_1_10" 95 | fi 96 | 97 | check_2_1_11="2.1.11 - [DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)" 98 | pass "$check_2_1_11" 99 | 100 | check_2_1_12="2.1.12 - Ensure that the --rotate-certificates argument is not set to false (Scored)" 101 | if check_argument "$CIS_KUBELET_CMD" '--rotate-certificates=true' >/dev/null 2>&1; then 102 | pass "$check_2_1_12" 103 | else 104 | warn "$check_2_1_12" 105 | fi 106 | 107 | check_2_1_13="2.1.13 - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 108 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 109 | found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file) 110 | if [ -z "$found" ]; then 111 | warn "$check_2_1_13" 112 | else 113 | pass "$check_2_1_13" 114 | fi 115 | 116 | check_2_1_14="2.1.14 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" 117 | if check_argument "$CIS_KUBELET_CMD" '--tls-cipher-suites' >/dev/null 2>&1; then 118 | ciphers=$(get_argument_value "$CIS_APISERVER_CMD" '--tls-cipher-suites'|cut -d " " -f 1) 119 | found=$(echo $ciphers| sed -rn '/(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)/p') 120 | if [ ! -z "$found" ]; then 121 | pass "$check_2_1_14" 122 | else 123 | warn "$check_2_1_14" 124 | fi 125 | else 126 | warn "$check_2_1_14" 127 | fi 128 | -------------------------------------------------------------------------------- /1.4.1/worker/worker_2_configure_files.sh: -------------------------------------------------------------------------------- 1 | info "2.2 - Configuration Files" 2 | 3 | check_2_2_1="2.2.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" 4 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 5 | 6 | if [ -f "$file" ]; then 7 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 8 | pass "$check_2_2_1" 9 | else 10 | warn "$check_2_2_1" 11 | warn " * Wrong permissions for $file" 12 | fi 13 | else 14 | info "$check_2_2_1" 15 | info " * File not found" 16 | fi 17 | 18 | check_2_2_2="2.2.2 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" 19 | file="/etc/kubernetes/kubelet.conf" 20 | if [ -f "$file" ]; then 21 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 22 | pass "$check_2_2_2" 23 | else 24 | warn "$check_2_2_2" 25 | warn " * Wrong permissions for $file" 26 | fi 27 | else 28 | info "$check_2_2_2" 29 | info " * File not found" 30 | fi 31 | 32 | 33 | check_2_2_3="2.2.3 - Ensure that the kubelet.conf file ownership is set to root:root (Scored)" 34 | file="/etc/kubernetes/kubelet.conf" 35 | if [ -f "$file" ]; then 36 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 37 | pass "$check_2_2_3" 38 | else 39 | warn "$check_2_2_3" 40 | warn " * Wrong ownership for $file" 41 | fi 42 | else 43 | info "$check_2_2_3" 44 | fi 45 | 46 | check_2_2_4="2.2.4 - Ensure that the kubelet service file ownership is set to root:root (Scored)" 47 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 48 | if [ -f "$file" ]; then 49 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 50 | pass "$check_2_2_4" 51 | else 52 | warn "$check_2_2_4" 53 | warn " * Wrong ownership for $file" 54 | fi 55 | else 56 | info "$check_2_2_4" 57 | fi 58 | 59 | check_2_2_5="2.2.5 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" 60 | file="" 61 | if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then 62 | file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) 63 | fi 64 | 65 | if [ -f "$file" ]; then 66 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 67 | pass "$check_2_2_5" 68 | else 69 | warn "$check_2_2_5" 70 | warn " * Wrong permissions for $file" 71 | fi 72 | else 73 | info "$check_2_2_5" 74 | info " * --kubeconfig not set" 75 | fi 76 | 77 | check_2_2_6="2.2.6 - Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" 78 | file="" 79 | if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then 80 | file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) 81 | fi 82 | if [ -f "$file" ]; then 83 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 84 | pass "$check_2_2_6" 85 | else 86 | warn "$check_2_2_6" 87 | warn " * Wrong ownership for $file" 88 | fi 89 | else 90 | info "$check_2_2_6" 91 | info " * --kubeconfig not set" 92 | fi 93 | 94 | check_2_2_7="2.2.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" 95 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 96 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 97 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 98 | pass "$check_2_2_7" 99 | pass " * client-ca-file: $file" 100 | else 101 | warn "$check_2_2_7" 102 | warn " * Wrong permissions for $file" 103 | fi 104 | else 105 | info "$check_2_2_7" 106 | info " * --client-ca-file not set" 107 | fi 108 | 109 | check_2_2_8="2.2.8 - Ensure that the client certificate authorities file ownership is set to root:root (Scored)" 110 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 111 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 112 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 113 | pass "$check_2_2_8" 114 | pass " * client-ca-file: $file" 115 | else 116 | warn "$check_2_2_8" 117 | warn " * Wrong ownership for $file" 118 | fi 119 | else 120 | info "$check_2_2_8" 121 | info " * --client-ca-file not set" 122 | fi 123 | 124 | check_2_2_9="2.2.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" 125 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 126 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 127 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 128 | pass "$check_2_2_9" 129 | pass " * config: $file" 130 | else 131 | warn "$check_2_2_9" 132 | warn " * Wrong permissions for $file" 133 | fi 134 | else 135 | info "$check_2_2_9" 136 | info " * --config not set" 137 | fi 138 | 139 | check_2_2_10="2.2.10 - Ensure that the kubelet configuration file ownership is set to root:root (Scored)" 140 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 141 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 142 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 143 | pass "$check_2_2_10" 144 | pass " * client: $file" 145 | else 146 | warn "$check_2_2_10" 147 | warn " * Wrong ownership for $file" 148 | fi 149 | else 150 | info "$check_2_2_10" 151 | info " * --config not set" 152 | fi 153 | -------------------------------------------------------------------------------- /1.5.1/master/2_etcd.sh: -------------------------------------------------------------------------------- 1 | info "2 - etcd" 2 | 3 | check_2_1="2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" 4 | if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then 5 | if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then 6 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') 7 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') 8 | pass "$check_2_1" 9 | pass " * cert-file: $cfile" 10 | pass " * key-file: $kfile" 11 | else 12 | warn "$check_2_1" 13 | fi 14 | else 15 | warn "$check_2_1" 16 | fi 17 | 18 | check_2_2="2.2 - Ensure that the --client-cert-auth argument is set to true (Scored)" 19 | if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then 20 | pass "$check_2_2" 21 | else 22 | warn "$check_2_2" 23 | fi 24 | 25 | check_2_3="2.3 - Ensure that the --auto-tls argument is not set to true (Scored)" 26 | if check_argument "$CIS_ETCD_CMD" '--auto-tls=true' >/dev/null 2>&1; then 27 | warn "$check_2_3" 28 | else 29 | pass "$check_2_3" 30 | fi 31 | 32 | check_2_4="2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)" 33 | if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then 34 | if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then 35 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') 36 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') 37 | pass "$check_2_4" 38 | pass " * peer-cert-file: $cfile" 39 | pass " * peer-key-file: $kfile" 40 | else 41 | warn "$check_2_4" 42 | fi 43 | else 44 | warn "$check_2_4" 45 | fi 46 | 47 | check_2_5="2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Scored)" 48 | if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth=true' >/dev/null 2>&1; then 49 | pass "$check_2_5" 50 | else 51 | warn "$check_2_5" 52 | fi 53 | 54 | check_2_6="2.6 - Ensure that the --peer-auto-tls argument is not set to true (Scored)" 55 | if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then 56 | warn "$check_2_6" 57 | else 58 | pass "$check_2_6" 59 | fi 60 | 61 | #todo apiserver vs kube-apiserver 62 | check_2_7="2.7 - Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 63 | if check_argument "$CIS_ETCD_CMD" '--trusted-ca-file' >/dev/null 2>&1; then 64 | if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then 65 | tfile=$(get_argument_value "$CIS_ETCD_CMD" '--trusted-ca-file') 66 | cfile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') 67 | if [ "$tfile" = "$cfile" ]; then 68 | pass "$check_2_7" 69 | pass " * trusted-ca-file: $tfile" 70 | pass " * client-ca-file: $cfile" 71 | else 72 | warn "$check_2_7" 73 | fi 74 | else 75 | warn "$check_2_7" 76 | warn " * client-ca-file doesn't exist" 77 | fi 78 | else 79 | warn "$check_2_7" 80 | warn " * trusted-ca-file doesn't exist" 81 | fi 82 | -------------------------------------------------------------------------------- /1.5.1/master/3_control_plane_configuration.sh: -------------------------------------------------------------------------------- 1 | info "3 - Control Plane Configuration" 2 | 3 | info "3.1 - Authentication and Authorization" 4 | 5 | check_3_1_1="3.1.1 - Client certificate authentication should not be used for users (Not Scored)" 6 | info "$check_3_1_1" 7 | info " * Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication." 8 | 9 | info "3.2 - Logging" 10 | 11 | check_3_2_1="3.2.1 - Ensure that a minimal audit policy is created (Scored)" 12 | if check_argument "$CIS_APISERVER_CMD" '--audit-policy-file' >/dev/null 2>&1; then 13 | auditPolicyFile=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-policy-file') 14 | pass "$check_3_2_1" 15 | pass " * audit-policy-file: $auditPolicyFile" 16 | else 17 | warn "$check_3_2_1" 18 | fi 19 | 20 | check_3_2_2="3.2.2 - Ensure that the audit policy covers key security concerns (Not Scored)" 21 | info "$check_3_2_2" 22 | info " * Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data." 23 | info " * Modification of pod and deployment objects." 24 | info " * Use of pods/exec, pods/portforward, pods/proxy and services/proxy." 25 | -------------------------------------------------------------------------------- /1.5.1/master/5_policies.sh: -------------------------------------------------------------------------------- 1 | info "5 - Policies" 2 | info "5.1 - RBAC and Service Accounts" 3 | 4 | # Make the loop separator be a new-line in POSIX compliant fashion 5 | set -f; IFS=$' 6 | ' 7 | 8 | check_5_1_1="5.1.1 - Ensure that the cluster-admin role is only used where required (Not Scored)" 9 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 10 | info "$check_5_1_1" 11 | for admin in $cluster_admins; do 12 | info " * $admin" 13 | done 14 | 15 | check_5_1_2="5.1.2 - Minimize access to secrets (Not Scored)" 16 | policies=$(kubectl get psp) 17 | info "$check_5_1_2" 18 | for policy in $policies; do 19 | info " * $policy" 20 | done 21 | 22 | check_5_1_3="5.1.3 - Create administrative boundaries between resources using namespaces (Not Scored)" 23 | namespaces=$(kubectl get namespaces) 24 | info "$check_5_1_3" 25 | for namespace in $namespaces; do 26 | info " * $namespace" 27 | done 28 | 29 | check_5_1_4="5.1.4 - Create network segmentation using Network Policies (Not Scored)" 30 | policies=$(kubectl get pods --namespace=kube-system) 31 | info "$check_5_1_4" 32 | for policy in $policies; do 33 | info " * $policy" 34 | done 35 | 36 | check_5_1_5="5.1.5 - Avoid using Kubernetes Secrets (Not Scored)" 37 | secrets=$(kubectl get secrets) 38 | info "$check_5_1_5" 39 | for secret in $secrets; do 40 | info " * $secret" 41 | done 42 | 43 | #TODO 44 | check_5_1_6="5.1.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 45 | info "$check_5_1_6" 46 | check_5_1_7="5.1.7 - Apply Security Context to Your Pods and Containers (Not Scored)" 47 | info "$check_5_1_7" 48 | check_5_1_8="5.1.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 49 | info "$check_5_1_8" 50 | check_5_1_9="5.1.9 - Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)" 51 | info "$check_5_1_9" 52 | 53 | info "5.2 - Pod Security Policies" 54 | 55 | check_5_2_1="5.2.1 - Minimize the admission of privileged containers (Not Scored)" 56 | info "$check_5_2_1" 57 | check_5_2_2="5.2.2 - Minimize the admission of containers wishing to share the host process ID namespace (Scored)" 58 | info "$check_5_2_2" 59 | check_5_2_3="5.2.3 - Minimize the admission of containers wishing to share the host IPC namespace (Scored)" 60 | info "$check_5_2_3" 61 | check_5_2_4="5.2.4 - Minimize the admission of containers wishing to share the host network namespace (Scored)" 62 | info "$check_5_2_4" 63 | check_5_2_5="5.2.5 - Minimize the admission of containers with allowPrivilegeEscalation (Scored)" 64 | info "$check_5_2_5" 65 | check_5_2_6="5.2.6 - Minimize the admission of root containers (Not Scored)" 66 | info "$check_5_2_6" 67 | check_5_2_7="5.2.7 - Minimize the admission of containers with the NET_RAW capability (Not Scored)" 68 | info "$check_5_2_7" 69 | check_5_2_8="5.2.8 - Minimize the admission of containers with added capabilities (Not Scored)" 70 | info "$check_5_2_8" 71 | check_5_2_9="5.2.9 - Minimize the admission of containers with capabilities assigned (Not Scored)" 72 | info "$check_5_2_9" 73 | 74 | info "5.3 - Network Policies and CNI" 75 | check_5_3_1="5.3.1 - Ensure that the CNI in use supports Network Policies (Not Scored)" 76 | info "$check_5_3_1" 77 | check_5_3_2="5.3.2 - Ensure that all Namespaces have Network Policies defined (Scored)" 78 | info "$check_5_3_2" 79 | 80 | info "5.4 - Secrets Management" 81 | check_5_4_1="5.4.1 - Prefer using secrets as files over secrets as environment variables (Not Scored)" 82 | info "$check_5_4_1" 83 | check_5_4_2="5.4.2 - Consider external secret storage (Not Scored)" 84 | info "$check_5_4_2" 85 | 86 | info "5.5 - Extensible Admission Control" 87 | check_5_5_1="5.5.1 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 88 | info "$check_5_5_1" 89 | 90 | info "5.6 - General Policies" 91 | check_5_6_1="5.6.1 - Create administrative boundaries between resources using namespaces (Not Scored)" 92 | info "$check_5_6_1" 93 | #todo remedition 94 | check_5_6_2="5.6.2 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 95 | info "$check_5_6_2" 96 | check_5_6_3="5.6.3 - Apply Security Context to Your Pods and Containers (Not Scored)" 97 | info "$check_5_6_3" 98 | check_5_6_4="5.6.4 - The default namespace should not be used (Scored)" 99 | info "$check_5_6_4" 100 | -------------------------------------------------------------------------------- /1.5.1/worker/4_worker_nodes.sh: -------------------------------------------------------------------------------- 1 | info "4.1 - Worker Node Configuration Files" 2 | 3 | check_4_1_1="4.1.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)" 4 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 5 | if [ -f "$file" ]; then 6 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 7 | pass "$check_4_1_1" 8 | else 9 | warn "$check_4_1_1" 10 | warn " * Wrong permissions for $file" 11 | fi 12 | else 13 | info "$check_4_1_1" 14 | info " * The kubelet service file not found" 15 | fi 16 | 17 | check_4_1_2="4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Scored)" 18 | if [ -f "$file" ]; then 19 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 20 | pass "$check_4_1_2" 21 | else 22 | warn "$check_4_1_2" 23 | warn " * Wrong ownership for $file" 24 | fi 25 | else 26 | info "$check_4_1_2" 27 | fi 28 | 29 | check_4_1_3="4.1.3 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" 30 | file="" 31 | if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then 32 | file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) 33 | fi 34 | 35 | if [ -f "$file" ]; then 36 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 37 | pass "$check_4_1_3" 38 | else 39 | warn "$check_4_1_3" 40 | warn " * Wrong permissions for $file" 41 | fi 42 | else 43 | info "$check_4_1_3" 44 | info " * kubeconfig file not found" 45 | fi 46 | 47 | check_4_1_4="4.1.4 - Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" 48 | if [ -f "$file" ]; then 49 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 50 | pass "$check_4_1_4" 51 | else 52 | warn "$check_4_1_4" 53 | warn " * Wrong ownership for $file" 54 | fi 55 | else 56 | info "$check_4_1_4" 57 | info " * kubeconfig file not found" 58 | fi 59 | 60 | check_4_1_5="4.1.5 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)" 61 | if [ -f "/var/lib/kube-proxy/kubeconfig" ]; then 62 | # kops 63 | file="/var/lib/kube-proxy/kubeconfig" 64 | else 65 | file="/etc/kubernetes/proxy" 66 | fi 67 | 68 | if [ -f "$file" ]; then 69 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 70 | pass "$check_4_1_5" 71 | else 72 | warn "$check_4_1_5" 73 | warn " * Wrong permissions for $file" 74 | fi 75 | else 76 | info "$check_4_1_5" 77 | info " * File not found" 78 | fi 79 | 80 | check_4_1_6="4.1.6 - Ensure that the kubelet.conf file ownership is set to root:root (Scored)" 81 | if [ -f "$file" ]; then 82 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 83 | pass "$check_4_1_6" 84 | else 85 | warn "$check_4_1_6" 86 | warn " * Wrong ownership for $file" 87 | fi 88 | else 89 | info "$check_4_1_6" 90 | fi 91 | 92 | check_4_1_7="4.1.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" 93 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 94 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 95 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 96 | pass "$check_4_1_7" 97 | pass " * client-ca-file: $file" 98 | else 99 | warn "$check_4_1_7" 100 | warn " * Wrong permissions for $file" 101 | fi 102 | else 103 | info "$check_4_1_7" 104 | info " * --client-ca-file not set" 105 | fi 106 | 107 | check_4_1_8="4.1.8 - Ensure that the client certificate authorities file ownership is set to root:root (Scored)" 108 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 109 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 110 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 111 | pass "$check_4_1_8" 112 | pass " * client-ca-file: $file" 113 | else 114 | warn "$check_4_1_8" 115 | warn " * Wrong ownership for $file" 116 | fi 117 | else 118 | info "$check_4_1_8" 119 | info " * --client-ca-file not set" 120 | fi 121 | 122 | check_4_1_9="4.1.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" 123 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 124 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 125 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 126 | pass "$check_4_1_9" 127 | pass " * kubelet configuration file: $file" 128 | else 129 | warn "$check_4_1_9" 130 | warn " * Wrong permissions for $file" 131 | fi 132 | else 133 | info "$check_4_1_9" 134 | info " * kubelet configuration file not set" 135 | fi 136 | 137 | check_4_1_10="4.1.10 - Ensure that the kubelet configuration file ownership is set to root:root (Scored)" 138 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 139 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 140 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 141 | pass "$check_4_1_10" 142 | pass " * kubelet configuration file: $file" 143 | else 144 | warn "$check_4_1_10" 145 | warn " * Wrong ownership for $file" 146 | fi 147 | else 148 | info "$check_4_1_10" 149 | info " * kubelet configuration file not set" 150 | fi 151 | 152 | info "4.2 - Kubelet" 153 | 154 | #todo review all audits 155 | check_4_2_1="4.2.1 - Ensure that the anonymous-auth argument is set to false (Scored)" 156 | if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 157 | pass "$check_4_2_1" 158 | else 159 | warn "$check_4_2_1" 160 | fi 161 | 162 | check_4_2_2="4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 163 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 164 | warn "$check_4_2_2" 165 | else 166 | pass "$check_4_2_2" 167 | fi 168 | 169 | check_4_2_3="4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Scored)" 170 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 171 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 172 | pass "$check_4_2_3" 173 | pass " * client-ca-file: $cafile" 174 | else 175 | warn "$check_4_2_3" 176 | fi 177 | 178 | check_4_2_4="4.2.4 - Ensure that the --read-only-port argument is set to 0 (Scored)" 179 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 180 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 181 | if [ $port = "0" ]; then 182 | pass "$check_4_2_4" 183 | else 184 | warn "$check_4_2_4" 185 | warn " * read-only-port: $port" 186 | fi 187 | else 188 | warn "$check_4_2_4" 189 | fi 190 | 191 | check_4_2_5="4.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" 192 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 193 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 194 | warn "$check_4_2_5" 195 | warn " * streaming-connection-idle-timeout: $timeout" 196 | else 197 | pass "$check_4_2_5" 198 | fi 199 | 200 | check_4_2_6="4.2.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored)" 201 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 202 | pass "$check_4_2_6" 203 | else 204 | warn "$check_4_2_6" 205 | fi 206 | 207 | check_4_2_7="4.2.7 - Ensure that the --make-iptables-util-chains argument is set to true (Scored)" 208 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 209 | pass "$check_4_2_7" 210 | else 211 | warn "$check_4_2_7" 212 | fi 213 | 214 | check_4_2_8="4.2.8 - Ensure that the --hostname-override argument is not set (Not Scored)" 215 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 216 | warn "$check_4_2_8" 217 | else 218 | pass "$check_4_2_8" 219 | fi 220 | 221 | check_4_2_9="4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Not Scored)" 222 | if check_argument "$CIS_KUBELET_CMD" '--event-qps=0' >/dev/null 2>&1; then 223 | pass "$check_4_2_9" 224 | else 225 | warn "$check_4_2_9" 226 | fi 227 | 228 | check_4_2_10="4.2.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 229 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 230 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 231 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 232 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 233 | pass "$check_4_2_10" 234 | pass " * tls-cert-file: $cfile" 235 | pass " * tls-private-key-file: $kfile" 236 | else 237 | warn "$check_4_2_10" 238 | fi 239 | else 240 | warn "$check_4_2_10" 241 | fi 242 | 243 | check_4_2_11="4.2.11 - Ensure that the --rotate-certificates argument is not set to false (Scored)" 244 | if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then 245 | event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) 246 | if [ $event = "0" ]; then 247 | pass "$check_4_2_11" 248 | else 249 | warn "$check_4_2_11" 250 | warn " * event-qps: $event" 251 | fi 252 | else 253 | warn "$check_4_2_11" 254 | fi 255 | 256 | check_4_2_12="4.2.12 - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 257 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 258 | found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file) 259 | if [ -z "$found" ]; then 260 | warn "$check_4_2_12" 261 | else 262 | pass "$check_4_2_12" 263 | fi 264 | 265 | check_4_2_13="4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" 266 | if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then 267 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) 268 | if [ $port = "0" ]; then 269 | pass "$check_4_2_13" 270 | else 271 | warn "$check_4_2_13" 272 | warn " * cadvisor-port: $port" 273 | fi 274 | else 275 | warn "$check_4_2_13" 276 | fi 277 | 278 | -------------------------------------------------------------------------------- /1.6.0/master/2_etcd.sh: -------------------------------------------------------------------------------- 1 | info "2 - etcd" 2 | 3 | check_2_1="2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)" 4 | if check_argument "$CIS_ETCD_CMD" '--cert-file' >/dev/null 2>&1; then 5 | if check_argument "$CIS_ETCD_CMD" '--key-file' >/dev/null 2>&1; then 6 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--cert-file') 7 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--key-file') 8 | pass "$check_2_1" 9 | pass " * cert-file: $cfile" 10 | pass " * key-file: $kfile" 11 | else 12 | warn "$check_2_1" 13 | fi 14 | else 15 | warn "$check_2_1" 16 | fi 17 | 18 | check_2_2="2.2 - Ensure that the --client-cert-auth argument is set to true (Automated)" 19 | if check_argument "$CIS_ETCD_CMD" '--client-cert-auth' >/dev/null 2>&1; then 20 | pass "$check_2_2" 21 | else 22 | warn "$check_2_2" 23 | fi 24 | 25 | check_2_3="2.3 - Ensure that the --auto-tls argument is not set to true (Automated)" 26 | if check_argument "$CIS_ETCD_CMD" '--auto-tls=true' >/dev/null 2>&1; then 27 | warn "$check_2_3" 28 | else 29 | pass "$check_2_3" 30 | fi 31 | 32 | check_2_4="2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated)" 33 | if check_argument "$CIS_ETCD_CMD" '--peer-cert-file' >/dev/null 2>&1; then 34 | if check_argument "$CIS_ETCD_CMD" '--peer-key-file' >/dev/null 2>&1; then 35 | cfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-cert-file') 36 | kfile=$(get_argument_value "$CIS_ETCD_CMD" '--peer-key-file') 37 | pass "$check_2_4" 38 | pass " * peer-cert-file: $cfile" 39 | pass " * peer-key-file: $kfile" 40 | else 41 | warn "$check_2_4" 42 | fi 43 | else 44 | warn "$check_2_4" 45 | fi 46 | 47 | check_2_5="2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Automated)" 48 | if check_argument "$CIS_ETCD_CMD" '--peer-client-cert-auth=true' >/dev/null 2>&1; then 49 | pass "$check_2_5" 50 | else 51 | warn "$check_2_5" 52 | fi 53 | 54 | check_2_6="2.6 - Ensure that the --peer-auto-tls argument is not set to true (Automated)" 55 | if check_argument "$CIS_ETCD_CMD" '--peer-auto-tls=true' >/dev/null 2>&1; then 56 | warn "$check_2_6" 57 | else 58 | pass "$check_2_6" 59 | fi 60 | 61 | #todo apiserver vs kube-apiserver 62 | check_2_7="2.7 - Ensure that a unique Certificate Authority is used for etcd (Manual)" 63 | if check_argument "$CIS_ETCD_CMD" '--trusted-ca-file' >/dev/null 2>&1; then 64 | if check_argument "$CIS_APISERVER_CMD" '--client-ca-file' >/dev/null 2>&1; then 65 | tfile=$(get_argument_value "$CIS_ETCD_CMD" '--trusted-ca-file') 66 | cfile=$(get_argument_value "$CIS_APISERVER_CMD" '--client-ca-file') 67 | if [ "$tfile" = "$cfile" ]; then 68 | pass "$check_2_7" 69 | pass " * trusted-ca-file: $tfile" 70 | pass " * client-ca-file: $cfile" 71 | else 72 | warn "$check_2_7" 73 | fi 74 | else 75 | warn "$check_2_7" 76 | warn " * client-ca-file doesn't exist" 77 | fi 78 | else 79 | warn "$check_2_7" 80 | warn " * trusted-ca-file doesn't exist" 81 | fi 82 | -------------------------------------------------------------------------------- /1.6.0/master/3_control_plane_configuration.sh: -------------------------------------------------------------------------------- 1 | info "3 - Control Plane Configuration" 2 | 3 | info "3.1 - Authentication and Authorization" 4 | 5 | check_3_1_1="3.1.1 - Client certificate authentication should not be used for users (Manual)" 6 | info "$check_3_1_1" 7 | info " * Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication." 8 | 9 | info "3.2 - Logging" 10 | 11 | check_3_2_1="3.2.1 - Ensure that a minimal audit policy is created (Manual)" 12 | if check_argument "$CIS_APISERVER_CMD" '--audit-policy-file' >/dev/null 2>&1; then 13 | auditPolicyFile=$(get_argument_value "$CIS_APISERVER_CMD" '--audit-policy-file') 14 | pass "$check_3_2_1" 15 | pass " * audit-policy-file: $auditPolicyFile" 16 | else 17 | warn "$check_3_2_1" 18 | fi 19 | 20 | check_3_2_2="3.2.2 - Ensure that the audit policy covers key security concerns (Manual)" 21 | info "$check_3_2_2" 22 | info " * Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data." 23 | info " * Modification of pod and deployment objects." 24 | info " * Use of pods/exec, pods/portforward, pods/proxy and services/proxy." 25 | -------------------------------------------------------------------------------- /1.6.0/master/5_policies.sh: -------------------------------------------------------------------------------- 1 | info "5 - Policies" 2 | info "5.1 - RBAC and Service Accounts" 3 | 4 | # Make the loop separator be a new-line in POSIX compliant fashion 5 | set -f; IFS=$' 6 | ' 7 | 8 | check_5_1_1="5.1.1 - Ensure that the cluster-admin role is only used where required (Manual)" 9 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 10 | info "$check_5_1_1" 11 | for admin in $cluster_admins; do 12 | info " * $admin" 13 | done 14 | 15 | check_5_1_2="5.1.2 - Minimize access to secrets (Manual)" 16 | policies=$(kubectl get psp) 17 | info "$check_5_1_2" 18 | for policy in $policies; do 19 | info " * $policy" 20 | done 21 | 22 | check_5_1_3="5.1.3 - Create administrative boundaries between resources using namespaces (Manual)" 23 | namespaces=$(kubectl get namespaces) 24 | info "$check_5_1_3" 25 | for namespace in $namespaces; do 26 | info " * $namespace" 27 | done 28 | 29 | check_5_1_4="5.1.4 - Create network segmentation using Network Policies (Manual)" 30 | policies=$(kubectl get pods --namespace=kube-system) 31 | info "$check_5_1_4" 32 | for policy in $policies; do 33 | info " * $policy" 34 | done 35 | 36 | check_5_1_5="5.1.5 - Avoid using Kubernetes Secrets (Manual)" 37 | secrets=$(kubectl get secrets) 38 | info "$check_5_1_5" 39 | for secret in $secrets; do 40 | info " * $secret" 41 | done 42 | 43 | #TODO 44 | check_5_1_6="5.1.6 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" 45 | info "$check_5_1_6" 46 | check_5_1_7="5.1.7 - Apply Security Context to Your Pods and Containers (Manual)" 47 | info "$check_5_1_7" 48 | check_5_1_8="5.1.8 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 49 | info "$check_5_1_8" 50 | check_5_1_9="5.1.9 - Place compensating controls in the form of PSP and RBAC for privileged containers usage (Manual)" 51 | info "$check_5_1_9" 52 | 53 | info "5.2 - Pod Security Policies" 54 | 55 | check_5_2_1="5.2.1 - Minimize the admission of privileged containers (Manual)" 56 | info "$check_5_2_1" 57 | check_5_2_2="5.2.2 - Minimize the admission of containers wishing to share the host process ID namespace (Manual)" 58 | info "$check_5_2_2" 59 | check_5_2_3="5.2.3 - Minimize the admission of containers wishing to share the host IPC namespace (Manual)" 60 | info "$check_5_2_3" 61 | check_5_2_4="5.2.4 - Minimize the admission of containers wishing to share the host network namespace (Manual)" 62 | info "$check_5_2_4" 63 | check_5_2_5="5.2.5 - Minimize the admission of containers with allowPrivilegeEscalation (Manual)" 64 | info "$check_5_2_5" 65 | check_5_2_6="5.2.6 - Minimize the admission of root containers (Manual)" 66 | info "$check_5_2_6" 67 | check_5_2_7="5.2.7 - Minimize the admission of containers with the NET_RAW capability (Manual)" 68 | info "$check_5_2_7" 69 | check_5_2_8="5.2.8 - Minimize the admission of containers with added capabilities (Manual)" 70 | info "$check_5_2_8" 71 | check_5_2_9="5.2.9 - Minimize the admission of containers with capabilities assigned (Manual)" 72 | info "$check_5_2_9" 73 | 74 | info "5.3 - Network Policies and CNI" 75 | check_5_3_1="5.3.1 - Ensure that the CNI in use supports Network Policies (Manual)" 76 | info "$check_5_3_1" 77 | check_5_3_2="5.3.2 - Ensure that all Namespaces have Network Policies defined (Manual)" 78 | info "$check_5_3_2" 79 | 80 | info "5.4 - Secrets Management" 81 | check_5_4_1="5.4.1 - Prefer using secrets as files over secrets as environment variables (Manual)" 82 | info "$check_5_4_1" 83 | check_5_4_2="5.4.2 - Consider external secret storage (Manual)" 84 | info "$check_5_4_2" 85 | 86 | info "5.5 - Extensible Admission Control" 87 | check_5_5_1="5.5.1 - Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)" 88 | info "$check_5_5_1" 89 | 90 | info "5.7 - General Policies" 91 | check_5_7_1="5.7.1 - Create administrative boundaries between resources using namespaces (Manual)" 92 | info "$check_5_7_1" 93 | #todo remedition 94 | check_5_7_2="5.7.2 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)" 95 | info "$check_5_7_2" 96 | check_5_7_3="5.7.3 - Apply Security Context to Your Pods and Containers (Manual)" 97 | info "$check_5_6_3" 98 | check_5_7_4="5.7.4 - The default namespace should not be used (Manual)" 99 | info "$check_5_7_4" 100 | -------------------------------------------------------------------------------- /1.6.0/worker/4_worker_nodes.sh: -------------------------------------------------------------------------------- 1 | info "4.1 - Worker Node Configuration Files" 2 | 3 | check_4_1_1="4.1.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)" 4 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 5 | if [ -f "$file" ]; then 6 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 7 | pass "$check_4_1_1" 8 | else 9 | warn "$check_4_1_1" 10 | warn " * Wrong permissions for $file" 11 | fi 12 | else 13 | info "$check_4_1_1" 14 | info " * The kubelet service file not found" 15 | fi 16 | 17 | check_4_1_2="4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Automated)" 18 | if [ -f "$file" ]; then 19 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 20 | pass "$check_4_1_2" 21 | else 22 | warn "$check_4_1_2" 23 | warn " * Wrong ownership for $file" 24 | fi 25 | else 26 | info "$check_4_1_2" 27 | fi 28 | 29 | check_4_1_3="4.1.3 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Manual)" 30 | file="" 31 | if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then 32 | file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) 33 | fi 34 | 35 | if [ -f "$file" ]; then 36 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 37 | pass "$check_4_1_3" 38 | else 39 | warn "$check_4_1_3" 40 | warn " * Wrong permissions for $file" 41 | fi 42 | else 43 | info "$check_4_1_3" 44 | info " * kubeconfig file not found" 45 | fi 46 | 47 | check_4_1_4="4.1.4 - Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)" 48 | if [ -f "$file" ]; then 49 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 50 | pass "$check_4_1_4" 51 | else 52 | warn "$check_4_1_4" 53 | warn " * Wrong ownership for $file" 54 | fi 55 | else 56 | info "$check_4_1_4" 57 | info " * kubeconfig file not found" 58 | fi 59 | 60 | check_4_1_5="4.1.5 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Automated)" 61 | if [ -f "/var/lib/kube-proxy/kubeconfig" ]; then 62 | # kops 63 | file="/var/lib/kube-proxy/kubeconfig" 64 | else 65 | file="/etc/kubernetes/proxy" 66 | fi 67 | 68 | if [ -f "$file" ]; then 69 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 70 | pass "$check_4_1_5" 71 | else 72 | warn "$check_4_1_5" 73 | warn " * Wrong permissions for $file" 74 | fi 75 | else 76 | info "$check_4_1_5" 77 | info " * File not found" 78 | fi 79 | 80 | check_4_1_6="4.1.6 - Ensure that the kubelet.conf file ownership is set to root:root (Manual)" 81 | if [ -f "$file" ]; then 82 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 83 | pass "$check_4_1_6" 84 | else 85 | warn "$check_4_1_6" 86 | warn " * Wrong ownership for $file" 87 | fi 88 | else 89 | info "$check_4_1_6" 90 | fi 91 | 92 | check_4_1_7="4.1.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)" 93 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 94 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 95 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 96 | pass "$check_4_1_7" 97 | pass " * client-ca-file: $file" 98 | else 99 | warn "$check_4_1_7" 100 | warn " * Wrong permissions for $file" 101 | fi 102 | else 103 | info "$check_4_1_7" 104 | info " * --client-ca-file not set" 105 | fi 106 | 107 | check_4_1_8="4.1.8 - Ensure that the client certificate authorities file ownership is set to root:root (Manual)" 108 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 109 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 110 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 111 | pass "$check_4_1_8" 112 | pass " * client-ca-file: $file" 113 | else 114 | warn "$check_4_1_8" 115 | warn " * Wrong ownership for $file" 116 | fi 117 | else 118 | info "$check_4_1_8" 119 | info " * --client-ca-file not set" 120 | fi 121 | 122 | check_4_1_9="4.1.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)" 123 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 124 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 125 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 126 | pass "$check_4_1_9" 127 | pass " * kubelet configuration file: $file" 128 | else 129 | warn "$check_4_1_9" 130 | warn " * Wrong permissions for $file" 131 | fi 132 | else 133 | info "$check_4_1_9" 134 | info " * kubelet configuration file not set" 135 | fi 136 | 137 | check_4_1_10="4.1.10 - Ensure that the kubelet configuration file ownership is set to root:root (Automated)" 138 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 139 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 140 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 141 | pass "$check_4_1_10" 142 | pass " * kubelet configuration file: $file" 143 | else 144 | warn "$check_4_1_10" 145 | warn " * Wrong ownership for $file" 146 | fi 147 | else 148 | info "$check_4_1_10" 149 | info " * kubelet configuration file not set" 150 | fi 151 | 152 | info "4.2 - Kubelet" 153 | 154 | #todo review all audits 155 | check_4_2_1="4.2.1 - Ensure that the anonymous-auth argument is set to false (Automated)" 156 | if check_argument "$CIS_KUBELET_CMD" '--anonymous-auth=false' >/dev/null 2>&1; then 157 | pass "$check_4_2_1" 158 | else 159 | warn "$check_4_2_1" 160 | fi 161 | 162 | check_4_2_2="4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)" 163 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 164 | warn "$check_4_2_2" 165 | else 166 | pass "$check_4_2_2" 167 | fi 168 | 169 | check_4_2_3="4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Automated)" 170 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 171 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 172 | pass "$check_4_2_3" 173 | pass " * client-ca-file: $cafile" 174 | else 175 | warn "$check_4_2_3" 176 | fi 177 | 178 | check_4_2_4="4.2.4 - Ensure that the --read-only-port argument is set to 0 (Manual)" 179 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 180 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 181 | if [ $port = "0" ]; then 182 | pass "$check_4_2_4" 183 | else 184 | warn "$check_4_2_4" 185 | warn " * read-only-port: $port" 186 | fi 187 | else 188 | warn "$check_4_2_4" 189 | fi 190 | 191 | check_4_2_5="4.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)" 192 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 193 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 194 | warn "$check_4_2_5" 195 | warn " * streaming-connection-idle-timeout: $timeout" 196 | else 197 | pass "$check_4_2_5" 198 | fi 199 | 200 | check_4_2_6="4.2.6 - Ensure that the --protect-kernel-defaults argument is set to true (Automated)" 201 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 202 | pass "$check_4_2_6" 203 | else 204 | warn "$check_4_2_6" 205 | fi 206 | 207 | check_4_2_7="4.2.7 - Ensure that the --make-iptables-util-chains argument is set to true (Automated)" 208 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 209 | pass "$check_4_2_7" 210 | else 211 | warn "$check_4_2_7" 212 | fi 213 | 214 | check_4_2_8="4.2.8 - Ensure that the --hostname-override argument is not set (Manual)" 215 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 216 | warn "$check_4_2_8" 217 | else 218 | pass "$check_4_2_8" 219 | fi 220 | 221 | check_4_2_9="4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)" 222 | if check_argument "$CIS_KUBELET_CMD" '--event-qps=0' >/dev/null 2>&1; then 223 | pass "$check_4_2_9" 224 | else 225 | warn "$check_4_2_9" 226 | fi 227 | 228 | check_4_2_10="4.2.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)" 229 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 230 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 231 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 232 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 233 | pass "$check_4_2_10" 234 | pass " * tls-cert-file: $cfile" 235 | pass " * tls-private-key-file: $kfile" 236 | else 237 | warn "$check_4_2_10" 238 | fi 239 | else 240 | warn "$check_4_2_10" 241 | fi 242 | 243 | check_4_2_11="4.2.11 - Ensure that the --rotate-certificates argument is not set to false (Manual)" 244 | if check_argument "$CIS_KUBELET_CMD" '--event-qps' >/dev/null 2>&1; then 245 | event=$(get_argument_value "$CIS_KUBELET_CMD" '--event-qps' | cut -d " " -f 1) 246 | if [ $event = "0" ]; then 247 | pass "$check_4_2_11" 248 | else 249 | warn "$check_4_2_11" 250 | warn " * event-qps: $event" 251 | fi 252 | else 253 | warn "$check_4_2_11" 254 | fi 255 | 256 | check_4_2_12="4.2.12 - Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)" 257 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 258 | found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file) 259 | if [ -z "$found" ]; then 260 | warn "$check_4_2_12" 261 | else 262 | pass "$check_4_2_12" 263 | fi 264 | 265 | check_4_2_13="4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" 266 | if check_argument "$CIS_KUBELET_CMD" '--cadvisor-port' >/dev/null 2>&1; then 267 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--cadvisor-port' | cut -d " " -f 1) 268 | if [ $port = "0" ]; then 269 | pass "$check_4_2_13" 270 | else 271 | warn "$check_4_2_13" 272 | warn " * cadvisor-port: $port" 273 | fi 274 | else 275 | warn "$check_4_2_13" 276 | fi 277 | 278 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2017 NeuVector Inc. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NeuVector-Logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/neuvector/kubernetes-cis-benchmark/1814e612e12e2e89c198cbf8fab4868e39367a50/NeuVector-Logo.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CIS Kubernetes Benchmark 2 | 3 | ![CIS Kubernetes Benchmark output](https://raw.githubusercontent.com/neuvector/kubernetes-cis-benchmark/master/bench.png "CIS Kubernetes Benchmark output") 4 | 5 | This set of scripts can be used to check the Kubernetes installation against the best-practices. 6 | 7 | ### Supported CIS Kubernetes versions 8 | 9 | | CIS Kubernetes Benchmark Version | Kubernetes versions | 10 | |---|---| 11 | | 1.0.0 | 1.6 | 12 | | 1.2.0 | 1.8 | 13 | | 1.5.1 | 1.15 | 14 | | 1.6.0 | 1.16 - | 15 | 16 | ### Running the benchmark checks 17 | 18 | On the Kubernetes master nodes, 19 | ``` 20 | $ ./master.sh 21 | ``` 22 | 23 | On the Kubernetes worker nodes, 24 | ``` 25 | $ ./worker.sh 26 | ``` 27 | 28 | On the Kubernetes federation nodes, 29 | ``` 30 | $ ./federation.sh 31 | 32 | -------------------------------------------------------------------------------- /bench.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/neuvector/kubernetes-cis-benchmark/1814e612e12e2e89c198cbf8fab4868e39367a50/bench.png -------------------------------------------------------------------------------- /federation.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ------------------------------------------------------------------------------ 3 | # Kubenetes CIS benchmark 4 | # 5 | # Neuvector, Inc. (c) 2016- 6 | # 7 | # ------------------------------------------------------------------------------ 8 | 9 | # Load dependencies 10 | . ./helper.sh 11 | 12 | ver=$1 13 | if [ -z "$1" ]; then 14 | warn "usage: ./federation.sh version" 15 | exit 16 | fi 17 | # Check for required program(s) 18 | req_progs='grep pgrep sed' 19 | for p in $req_progs; do 20 | command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 21 | done 22 | 23 | # Load all the tests from tests/ and run them 24 | main () { 25 | info "3 - Federated Deployments" 26 | 27 | for test in $ver/federation/federation_*.sh 28 | do 29 | . ./"$test" 30 | done 31 | } 32 | 33 | main "$@" 34 | 35 | -------------------------------------------------------------------------------- /gke/master/1_control_plane_components.sh: -------------------------------------------------------------------------------- 1 | info "1 - Control Plane Components" 2 | 3 | info "1.1 - Master Node Configuration Files" 4 | 5 | check_1_1_1="1.1.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored)" 6 | info "$check_1_1_1" 7 | 8 | check_1_1_2="1.1.2 - Ensure that the API server pod specification file ownership is set to root:root (Not Scored)" 9 | info "$check_1_1_2" 10 | 11 | check_1_1_3="1.1.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Scored)" 12 | info "$check_1_1_3" 13 | 14 | check_1_1_4="1.1.4 - Ensure that the controller manager pod specification file ownership is set to root:root (Not Scored)" 15 | info "$check_1_1_4" 16 | 17 | check_1_1_5="1.1.5 - Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Scored)" 18 | info "$check_1_1_5" 19 | 20 | check_1_1_6="1.1.6 - Ensure that the scheduler pod specification file ownership is set to root:root (Not Scored)" 21 | info "$check_1_1_6" 22 | 23 | check_1_1_7="1.1.7 - Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Scored)" 24 | info "$check_1_1_7" 25 | 26 | check_1_1_8="1.1.8 - Ensure that the etcd pod specification file ownership is set to root:root (Not Scored)" 27 | info "$check_1_1_8" 28 | 29 | check_1_1_9="1.1.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored)" 30 | info "$check_1_1_9" 31 | 32 | check_1_1_10="1.1.10 - Ensure that the Container Network Interface file ownership is set to root:root (Not Scored)" 33 | info "$check_1_1_10" 34 | 35 | check_1_1_11="1.1.11 - Ensure that the etcd data directory permissions are set to 700 or more restrictive (Not Scored)" 36 | info "$check_1_1_11" 37 | 38 | check_1_1_12="1.1.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Not Scored)" 39 | info "$check_1_1_12" 40 | 41 | check_1_1_13="1.1.13 - Ensure that the admin.conf file permissions are set to 644 or more restrictive (Not Scored)" 42 | info "$check_1_1_13" 43 | 44 | check_1_1_14="1.1.14 - Ensure that the admin.conf file ownership is set to root:root (Not Scored)" 45 | info "$check_1_1_14" 46 | 47 | check_1_1_15="1.1.15 - Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Not Scored)" 48 | info "$check_1_1_15" 49 | 50 | check_1_1_16="1.1.16 - Ensure that the scheduler.conf file ownership is set to root:root (Not Scored) " 51 | info "$check_1_1_16" 52 | 53 | check_1_1_17="1.1.17 - Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Not Scored)" 54 | info "$check_1_1_17" 55 | 56 | check_1_1_18="1.1.18 - Ensure that the controller-manager.conf file ownership is set to root:root (Not Scored) " 57 | info "$check_1_1_18" 58 | 59 | check_1_1_19="1.1.19 - Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Not Scored)" 60 | info "$check_1_1_19" 61 | 62 | check_1_1_20="1.1.20 - Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)" 63 | info "$check_1_1_20" 64 | 65 | check_1_1_21="1.1.21 - Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)" 66 | info "$check_1_1_21" 67 | 68 | info "1.2 - API Server" 69 | 70 | check_1_2_1="1.2.1 - Ensure that the --anonymous-auth argument is set to false (Not Scored)" 71 | info "$check_1_2_1" 72 | 73 | check_1_2_2="1.2.2 - Ensure that the --basic-auth-file argument is not set (Not Scored)" 74 | info "$check_1_2_2" 75 | 76 | check_1_2_3="1.2.3 - Ensure that the --token-auth-file parameter is not set (Not Scored)" 77 | info "$check_1_2_3" 78 | 79 | check_1_2_4="1.2.4 - Ensure that the --kubelet-https argument is set to true (Not Scored)" 80 | info "$check_1_2_4" 81 | 82 | check_1_2_5="1.2.5 - Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Not Scored)" 83 | info "$check_1_2_5" 84 | 85 | check_1_2_6="1.2.6 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Not Scored)" 86 | info "$check_1_2_6" 87 | 88 | check_1_2_7="1.2.7 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Not Scored)" 89 | info "$check_1_2_7" 90 | 91 | check_1_2_8="1.2.8 - Ensure that the --authorization-mode argument includes Node (Not Scored)" 92 | info "$check_1_2_8" 93 | 94 | check_1_2_9="1.2.9 - Ensure that the --authorization-mode argument includes RBAC (Not Scored)" 95 | info "$check_1_2_9" 96 | 97 | check_1_2_10="1.2.10 - Ensure that the admission control plugin EventRateLimit is set (Not Scored)" 98 | info "$check_1_2_10" 99 | 100 | check_1_2_11="1.2.11 - Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored)" 101 | info "$check_1_2_11" 102 | 103 | check_1_2_12="1.2.12 - Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)" 104 | info "$check_1_2_12" 105 | 106 | check_1_2_13="1.2.13 - Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)" 107 | info "$check_1_2_13" 108 | 109 | check_1_2_14="1.2.14 - Ensure that the admission control plugin ServiceAccount is set (Not Scored)" 110 | info "$check_1_2_14" 111 | 112 | check_1_2_15="1.2.15 - Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored)" 113 | info "$check_1_2_15" 114 | 115 | check_1_2_16="1.2.16 - Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored)" 116 | info "$check_1_2_16" 117 | 118 | check_1_2_17="1.2.17 - Ensure that the admission control plugin NodeRestriction is set (Not Scored)" 119 | info "$check_1_2_17" 120 | 121 | check_1_2_18="1.2.18 - Ensure that the --insecure-bind-address argument is not set (Not Scored)" 122 | info "$check_1_2_18" 123 | 124 | check_1_2_19="1.2.19 - Ensure that the --insecure-port argument is set to 0 (Not Scored)" 125 | info "$check_1_2_19" 126 | 127 | check_1_2_20="1.2.20 - Ensure that the --secure-port argument is not set to 0 (Not Scored)" 128 | info "$check_1_2_20" 129 | 130 | check_1_2_21="1.2.21 - Ensure that the --profiling argument is set to false (Not Scored)" 131 | info "$check_1_2_21" 132 | 133 | check_1_2_22="1.2.22 - Ensure that the --audit-log-path argument is set (Not Scored)" 134 | info "$check_1_2_22" 135 | 136 | check_1_2_23="1.2.23 - Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Not Scored)" 137 | info "$check_1_2_23" 138 | 139 | check_1_2_24="1.2.24 - Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored)" 140 | info "$check_1_2_24" 141 | 142 | check_1_2_25="1.2.25 - Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Not Scored)" 143 | info "$check_1_2_25" 144 | 145 | check_1_2_26="1.2.26 - Ensure that the --request-timeout argument is set as appropriate (Not Scored)" 146 | info "$check_1_2_26" 147 | 148 | check_1_2_27="1.2.27 - Ensure that the --service-account-lookup argument is set to true (Not Scored)" 149 | info "$check_1_2_27" 150 | 151 | check_1_2_28="1.2.28 - Ensure that the --service-account-key-file argument is set as appropriate (Not Scored)" 152 | info "$check_1_2_28" 153 | 154 | check_1_2_29="1.2.29 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Not Scored)" 155 | info "$check_1_2_29" 156 | 157 | check_1_2_30="1.2.30 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Not Scored)" 158 | info "$check_1_2_30" 159 | 160 | check_1_2_31="1.2.31 - Ensure that the --client-ca-file argument is set as appropriate (Not Scored)" 161 | info "$check_1_2_31" 162 | 163 | check_1_2_32="1.2.32 - Ensure that the --etcd-cafile argument is set as appropriate (Not Scored)" 164 | info "$check_1_2_32" 165 | 166 | check_1_2_33="1.2.33 - Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)" 167 | info "$check_1_2_33" 168 | 169 | check_1_2_34="1.2.34 - Ensure that encryption providers are appropriately configured (Not Scored)" 170 | info "$check_1_2_34" 171 | 172 | check_1_2_35="1.2.35 - Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" 173 | info "$check_1_2_35" 174 | 175 | info "1.3 - Controller Manager" 176 | 177 | check_1_3_1="1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)" 178 | info "$check_1_3_1" 179 | 180 | check_1_3_2="1.3.2 - Ensure that the --profiling argument is set to false (Not Scored)" 181 | info "$check_1_3_2" 182 | 183 | check_1_3_3="1.3.3 - Ensure that the --use-service-account-credentials argument is set to true (Not Scored)" 184 | info "$check_1_3_3" 185 | 186 | check_1_3_4="1.3.4 - Ensure that the --service-account-private-key-file argument is set as appropriate (Not Scored)" 187 | info "$check_1_3_4" 188 | 189 | check_1_3_5="1.3.5 - Ensure that the --root-ca-file argument is set as appropriate (Not Scored)" 190 | info "$check_1_3_5" 191 | 192 | check_1_3_6="1.3.6 - Ensure that the RotateKubeletServerCertificate argument is set to true (Not Scored)" 193 | info "$check_1_3_6" 194 | 195 | check_1_3_7="1.3.7 - Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored)" 196 | info "$check_1_3_7" 197 | 198 | info "1.4 - Scheduler" 199 | 200 | check_1_4_1="1.4.1 - Ensure that the --profiling argument is set to false (Not Scored)" 201 | info "$check_1_4_1" 202 | 203 | check_1_4_2="1.4.2 - Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored)" 204 | info "$check_1_4_2" 205 | -------------------------------------------------------------------------------- /gke/master/2_etcd.sh: -------------------------------------------------------------------------------- 1 | info "2 - etcd" 2 | 3 | check_2_1="2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored)" 4 | info "$check_2_1" 5 | 6 | check_2_2="2.2 - Ensure that the --client-cert-auth argument is set to true (Not Scored)" 7 | info "$check_2_2" 8 | 9 | check_2_3="2.3 - Ensure that the --auto-tls argument is not set to true (Not Scored)" 10 | info "$check_2_3" 11 | 12 | check_2_4="2.4 - Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Not Scored)" 13 | info "$check_2_4" 14 | 15 | check_2_5="2.5 - Ensure that the --peer-client-cert-auth argument is set to true (Not Scored)" 16 | info "$check_2_5" 17 | 18 | check_2_6="2.6 - Ensure that the --peer-auto-tls argument is not set to true (Not Scored)" 19 | info "$check_2_6" 20 | 21 | check_2_7="2.7 - Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 22 | info "$check_2_7" 23 | -------------------------------------------------------------------------------- /gke/master/3_control_plane_configuration.sh: -------------------------------------------------------------------------------- 1 | info "3 - Control Plane Configuration" 2 | 3 | info "3.1 - Authentication and Authorization" 4 | 5 | check_3_1_1="3.1.1 - Client certificate authentication should not be used for users (Not Scored)" 6 | info "$check_3_1_1" 7 | info " * Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication." 8 | 9 | info "3.2 - Logging" 10 | #todo review 11 | check_3_2_1="3.2.1 - Ensure that a minimal audit policy is created (Not Scored)" 12 | info "$check_3_2_1" 13 | 14 | check_3_2_2="3.2.2 - Ensure that the audit policy covers key security concerns (Not Scored)" 15 | info "$check_3_2_2" 16 | info " * Access to Secrets managed by the cluster. Care should be taken to only log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in order to avoid the risk of logging sensitive data." 17 | info " * Modification of pod and deployment objects." 18 | info " * Use of pods/exec, pods/portforward, pods/proxy and services/proxy." 19 | -------------------------------------------------------------------------------- /gke/master/5_policies.sh: -------------------------------------------------------------------------------- 1 | info "5 - Policies" 2 | info "5.1 - RBAC and Service Accounts" 3 | 4 | # Make the loop separator be a new-line in POSIX compliant fashion 5 | set -f; IFS=$' 6 | ' 7 | 8 | check_5_1_1="5.1.1 - Ensure that the cluster-admin role is only used where required (Not Scored)" 9 | cluster_admins=$(kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name) 10 | info "$check_5_1_1" 11 | for admin in $cluster_admins; do 12 | info " * $admin" 13 | done 14 | 15 | check_5_1_2="5.1.2 - Minimize access to secrets (Not Scored)" 16 | policies=$(kubectl get psp) 17 | info "$check_5_1_2" 18 | for policy in $policies; do 19 | info " * $policy" 20 | done 21 | 22 | check_5_1_3="5.1.3 - Minimize wildcard use in Roles and ClusterRoles (Not Scored)" 23 | namespaces=$(kubectl get namespaces) 24 | info "$check_5_1_3" 25 | for namespace in $namespaces; do 26 | info " * $namespace" 27 | done 28 | 29 | check_5_1_4="5.1.4 - Minimize access to create pods (Not Scored)" 30 | policies=$(kubectl get pods --namespace=kube-system) 31 | info "$check_5_1_4" 32 | for policy in $policies; do 33 | info " * $policy" 34 | done 35 | 36 | check_5_1_5="5.1.5 - Ensure that default service accounts are not actively used. (Scored)" 37 | secrets=$(kubectl get secrets) 38 | info "$check_5_1_5" 39 | for secret in $secrets; do 40 | info " * $secret" 41 | done 42 | 43 | #TODO 44 | check_5_1_6="5.1.6 - Ensure that Service Account Tokens are only mounted where necessary (Not Scored)" 45 | info "$check_5_1_6" 46 | 47 | info "5.2 - Pod Security Policies" 48 | 49 | check_5_2_1="5.2.1 - Minimize the admission of privileged containers (Scored)" 50 | info "$check_5_2_1" 51 | 52 | check_5_2_2="5.2.2 - Minimize the admission of containers wishing to share the host process ID namespace (Scored)" 53 | info "$check_5_2_2" 54 | 55 | check_5_2_3="5.2.3 - Minimize the admission of containers wishing to share the host IPC namespace (Scored)" 56 | info "$check_5_2_3" 57 | 58 | check_5_2_4="5.2.4 - Minimize the admission of containers wishing to share the host network namespace (Scored)" 59 | info "$check_5_2_4" 60 | 61 | check_5_2_5="5.2.5 - Minimize the admission of containers with allowPrivilegeEscalation (Scored)" 62 | info "$check_5_2_5" 63 | 64 | check_5_2_6="5.2.6 - Minimize the admission of root containers (Scored)" 65 | info "$check_5_2_6" 66 | 67 | check_5_2_7="5.2.7 - Minimize the admission of containers with the NET_RAW capability (Scored)" 68 | info "$check_5_2_7" 69 | 70 | check_5_2_8="5.2.8 - Minimize the admission of containers with added capabilities (Scored)" 71 | info "$check_5_2_8" 72 | 73 | check_5_2_9="5.2.9 - Minimize the admission of containers with capabilities assigned (Scored)" 74 | info "$check_5_2_9" 75 | 76 | info "5.3 - Network Policies and CNI" 77 | check_5_3_1="5.3.1 - Ensure that the CNI in use supports Network Policies (Not Scored)" 78 | info "$check_5_3_1" 79 | 80 | check_5_3_2="5.3.2 - Ensure that all Namespaces have Network Policies defined (Scored)" 81 | info "$check_5_3_2" 82 | 83 | info "5.4 - Secrets Management" 84 | check_5_4_1="5.4.1 - Prefer using secrets as files over secrets as environment variables (Not Scored)" 85 | info "$check_5_4_1" 86 | 87 | check_5_4_2="5.4.2 - Consider external secret storage (Not Scored)" 88 | info "$check_5_4_2" 89 | 90 | info "5.5 - Extensible Admission Control" 91 | check_5_5_1="5.5.1 - Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)" 92 | info "$check_5_5_1" 93 | 94 | info "5.6 - General Policies" 95 | check_5_6_1="5.6.1 - Create administrative boundaries between resources using namespaces (Not Scored)" 96 | info "$check_5_6_1" 97 | 98 | check_5_6_2="5.6.2 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" 99 | info "$check_5_6_2" 100 | 101 | check_5_6_3="5.6.3 - Apply Security Context to Your Pods and Containers (Not Scored)" 102 | info "$check_5_6_3" 103 | 104 | check_5_6_4="5.6.4 - The default namespace should not be used (Scored)" 105 | info "$check_5_6_4" 106 | -------------------------------------------------------------------------------- /gke/master/6_managed_services.sh: -------------------------------------------------------------------------------- 1 | info "6 - Managed services" 2 | info "6.1 - Image Registry and Image Scanning" 3 | 4 | check_6_1_1="6.1.1 - Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider (Scored)" 5 | info "$check_6_1_1" 6 | 7 | check_6_1_2="6.1.2 - Minimize user access to GCR (Scored)" 8 | info "$check_6_1_2" 9 | 10 | check_6_1_3="6.1.3 - Minimize cluster access to read-only for GCR (Scored)" 11 | info "$check_6_1_3" 12 | 13 | check_6_1_4="6.1.4 - Minimize Container Registries to only those approved (Not Scored)" 14 | info "$check_6_1_4" 15 | 16 | info "6.2 - Identity and Access Management (IAM)" 17 | check_6_2_1="6.2.1 - Ensure GKE clusters are not running using the Compute Engine default service account (Scored)" 18 | info "$check_6_2_1" 19 | 20 | check_6_2_2="6.2.2 - Prefer using dedicated GCP Service Accounts and Workload Identity (Not Scored)" 21 | info "$check_6_2_2" 22 | 23 | info "6.3 - Cloud Key Management Service (Cloud KMS)" 24 | check_6_3_1="6.3.1 - Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Scored)" 25 | info "$check_6_3_1" 26 | 27 | info "6.4 - Node Metadata" 28 | check_6_4_1="6.4.1 - Ensure legacy Compute Engine instance metadata APIs are Disabled (Scored)" 29 | info "$check_6_4_1" 30 | 31 | check_6_4_2="6.4.2 - Ensure the GKE Metadata Server is Enabled (Not Scored)" 32 | info "$check_6_4_2" 33 | 34 | info "6.5 - Node Configuration and Maintenance" 35 | check_6_5_1="6.5.1 - Ensure legacy Compute Engine instance metadata APIs are Disabled (Scored)" 36 | info "$check_6_5_1" 37 | 38 | check_6_5_2="6.5.2 - Ensure Node Auto-Repair is enabled for GKE nodes (Scored)" 39 | info "$check_6_5_2" 40 | 41 | check_6_5_3="6.5.3 - Ensure Node Auto-Upgrade is enabled for GKE nodes (Scored)" 42 | info "$check_6_5_3" 43 | 44 | check_6_5_4="6.5.4 - Automate GKE version management using Release Channels (Not Scored)" 45 | info "$check_6_5_4" 46 | 47 | check_6_5_5="6.5.5 - Ensure Shielded GKE Nodes are Enabled (Not Scored)" 48 | info "$check_6_5_5" 49 | 50 | check_6_5_6="6.5.6 - Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Not Scored)" 51 | info "$check_6_5_6" 52 | 53 | check_6_5_7="6.5.7 - Ensure Secure Boot for Shielded GKE Nodes is Enabled (Not Scored)" 54 | info "$check_6_5_7" 55 | 56 | info "6.6 - Cluster Networking" 57 | check_6_6_1="6.6.1 - Enable VPC Flow Logs and Intranode Visibility (Not Scored)" 58 | info "$check_6_6_1" 59 | 60 | check_6_6_2="6.6.2 - Ensure use of VPC-native clusters (Scored)" 61 | info "$check_6_6_2" 62 | 63 | check_6_6_3="6.6.3 - Ensure Master Authorized Networks is Enabled (Scored)" 64 | info "$check_6_6_3" 65 | 66 | check_6_6_4="6.6.4 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Scored)" 67 | info "$check_6_6_4" 68 | 69 | check_6_6_5="6.6.5 - Ensure clusters are created with Private Nodes (Scored)" 70 | info "$check_6_6_5" 71 | 72 | check_6_6_6="6.6.6 - Consider firewalling GKE worker nodes (Not Scored)" 73 | info "$check_6_6_6" 74 | 75 | check_6_6_7="6.6.7 - Ensure Network Policy is Enabled and set as appropriate (Not Scored)" 76 | info "$check_6_6_7" 77 | 78 | check_6_6_8="6.6.8 - Ensure use of Google-managed SSL Certificates (Not Scored)" 79 | info "$check_6_6_8" 80 | 81 | info "6.7 - Cluster Networking" 82 | check_6_7_1="6.7.1 - Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled (Scored)" 83 | info "$check_6_7_1" 84 | 85 | check_6_7_2="6.7.2 - Enable Linux auditd logging (Not Scored)" 86 | info "$check_6_7_2" 87 | 88 | info "6.8 - Authentication and Authorization" 89 | 90 | check_6_8_1="6.8.1 - Ensure Basic Authentication using static passwords is Disabled (Scored)" 91 | info "$check_6_8_1" 92 | 93 | check_6_8_2="6.8.2 - Ensure authentication using Client Certificates is Disabled (Scored)" 94 | info "$check_6_8_2" 95 | 96 | check_6_8_3="6.8.3 - Manage Kubernetes RBAC users with Google Groups for GKE (Not Scored)" 97 | info "$check_6_8_3" 98 | 99 | check_6_8_4="6.8.4 - Ensure Legacy Authorization (ABAC) is Disabled (Scored)" 100 | info "$check_6_8_4" 101 | 102 | info "6.9 - Storage" 103 | check_6_9_1="6.9.1 - Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Not Scored)" 104 | info "$check_6_9_1" 105 | 106 | info "6.10 - Other Cluster Configurations" 107 | 108 | check_6_10_1="6.10.1 - Ensure Kubernetes Web UI is Disabled (Scored)" 109 | info "$check_6_10_1" 110 | 111 | check_6_10_2="6.10.2 - Ensure that Alpha clusters are not used for production workloads (Scored)" 112 | info "$check_6_10_2" 113 | 114 | check_6_10_3="6.10.3 - Ensure Pod Security Policy is Enabled and set as appropriate (Not Scored)" 115 | info "$check_6_10_3" 116 | 117 | check_6_10_4="6.10.4 - Consider GKE Sandbox for running untrusted workloads (Not Scored)" 118 | info "$check_6_10_4" 119 | 120 | check_6_10_5="6.10.5 - Ensure use of Binary Authorization (Scored)" 121 | info "$check_6_10_5" 122 | 123 | check_6_10_6="6.10.6 - Enable Cloud Security Command Center (Cloud SCC) (Not Scored)" 124 | info "$check_6_10_6" 125 | -------------------------------------------------------------------------------- /gke/worker/4_worker_nodes.sh: -------------------------------------------------------------------------------- 1 | info "4.1 - Worker Node Configuration Files" 2 | 3 | check_4_1_1="4.1.1 - Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored)" 4 | info "$check_4_1_1" 5 | 6 | check_4_1_2="4.1.2 - Ensure that the kubelet service file ownership is set to root:root (Not Scored)" 7 | info "$check_4_1_2" 8 | 9 | check_4_1_3="4.1.3 - Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)" 10 | file="" 11 | if check_argument "$CIS_PROXY_CMD" '--kubeconfig' >/dev/null 2>&1; then 12 | file=$(get_argument_value "$CIS_PROXY_CMD" '--kubeconfig'|cut -d " " -f 1) 13 | fi 14 | 15 | if [ -f "$file" ]; then 16 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 17 | pass "$check_4_1_3" 18 | else 19 | warn "$check_4_1_3" 20 | warn " * Wrong permissions for $file" 21 | fi 22 | else 23 | info "$check_4_1_3" 24 | info " * --kubeconfig not set" 25 | fi 26 | 27 | check_4_1_4="4.1.4 - Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)" 28 | if [ -f "$file" ]; then 29 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 30 | pass "$check_4_1_4" 31 | else 32 | warn "$check_4_1_4" 33 | warn " * Wrong ownership for $file" 34 | fi 35 | else 36 | info "$check_4_1_4" 37 | info " * kubeconfig file not found" 38 | fi 39 | 40 | check_4_1_5="4.1.5 - Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored)" 41 | info "$check_4_1_5" 42 | 43 | check_4_1_6="4.1.6 - Ensure that the kubelet.conf file ownership is set to root:root (Not Scored)" 44 | info "$check_4_1_6" 45 | 46 | check_4_1_7="4.1.7 - Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored)" 47 | info "$check_4_1_7" 48 | 49 | check_4_1_8="4.1.8 - Ensure that the client certificate authorities file ownership is set to root:root (Not Scored)" 50 | info "$check_4_1_8" 51 | 52 | check_4_1_9="4.1.9 - Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)" 53 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 54 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 55 | if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 -o "$(stat -c %a $file)" -eq 400 ]; then 56 | pass "$check_4_1_9" 57 | pass " * kubelet configuration file: $file" 58 | else 59 | warn "$check_4_1_9" 60 | warn " * Wrong permissions for $file" 61 | fi 62 | else 63 | info "$check_4_1_9" 64 | info " * kubelet configuration file not set" 65 | fi 66 | 67 | check_4_1_10="4.1.10 - Ensure that the kubelet configuration file ownership is set to root:root (Scored)" 68 | if check_argument "$CIS_KUBELET_CMD" '--config' >/dev/null 2>&1; then 69 | file=$(get_argument_value "$CIS_KUBELET_CMD" '--config') 70 | if [ "$(stat -c %u%g $file)" -eq 00 ]; then 71 | pass "$check_4_1_10" 72 | pass " * kubelet configuration file: $file" 73 | else 74 | warn "$check_4_1_10" 75 | warn " * Wrong ownership for $file" 76 | fi 77 | else 78 | info "$check_4_1_10" 79 | info " * kubelet configuration file not set" 80 | fi 81 | 82 | info "4.2 - Kubelet" 83 | 84 | #todo review all audits 85 | check_4_2_1="4.2.1 - Ensure that the --anonymous-auth argument is set to false (Scored) " 86 | if check_argument "$CIS_KUBELET_CMD" '--allow-privileged=false' >/dev/null 2>&1; then 87 | pass "$check_4_2_1" 88 | else 89 | warn "$check_4_2_1" 90 | fi 91 | 92 | check_4_2_2="4.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" 93 | if check_argument "$CIS_KUBELET_CMD" '--authorization-mode=AlwaysAllow' >/dev/null 2>&1; then 94 | warn "$check_4_2_2" 95 | else 96 | pass "$check_4_2_2" 97 | fi 98 | 99 | check_4_2_3="4.2.3 - Ensure that the --client-ca-file argument is set as appropriate (Scored)" 100 | if check_argument "$CIS_KUBELET_CMD" '--client-ca-file' >/dev/null 2>&1; then 101 | cafile=$(get_argument_value "$CIS_KUBELET_CMD" '--client-ca-file') 102 | pass "$check_4_2_3" 103 | pass " * client-ca-file: $cafile" 104 | else 105 | warn "$check_4_2_3" 106 | fi 107 | 108 | check_4_2_4="4.2.4 - Ensure that the --read-only-port argument is set to 0 (Scored)" 109 | if check_argument "$CIS_KUBELET_CMD" '--read-only-port' >/dev/null 2>&1; then 110 | port=$(get_argument_value "$CIS_KUBELET_CMD" '--read-only-port' | cut -d " " -f 1) 111 | if [ $port = "0" ]; then 112 | pass "$check_4_2_4" 113 | else 114 | warn "$check_4_2_4" 115 | warn " * read-only-port: $port" 116 | fi 117 | else 118 | warn "$check_4_2_4" 119 | fi 120 | 121 | check_4_2_5="4.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" 122 | if check_argument "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout=0' >/dev/null 2>&1; then 123 | timeout=$(get_argument_value "$CIS_KUBELET_CMD" '--streaming-connection-idle-timeout') 124 | warn "$check_4_2_5" 125 | warn " * streaming-connection-idle-timeout: $timeout" 126 | else 127 | pass "$check_4_2_5" 128 | fi 129 | 130 | check_4_2_6="4.2.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored)" 131 | if check_argument "$CIS_KUBELET_CMD" '--protect-kernel-defaults=true' >/dev/null 2>&1; then 132 | pass "$check_4_2_6" 133 | else 134 | warn "$check_4_2_6" 135 | fi 136 | 137 | check_4_2_7="4.2.7 - Ensure that the --make-iptables-util-chains argument is set to true (Scored)" 138 | if check_argument "$CIS_KUBELET_CMD" '--make-iptables-util-chains=true' >/dev/null 2>&1; then 139 | pass "$check_4_2_7" 140 | else 141 | warn "$check_4_2_7" 142 | fi 143 | 144 | check_4_2_8="4.2.8 - Ensure that the --hostname-override argument is not set (Scored)" 145 | if check_argument "$CIS_KUBELET_CMD" '--hostname-override' >/dev/null 2>&1; then 146 | warn "$check_4_2_8" 147 | else 148 | pass "$check_4_2_8" 149 | fi 150 | 151 | check_4_2_9="4.2.9 - Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored)" 152 | if check_argument "$CIS_KUBELET_CMD" '--event-qps=0' >/dev/null 2>&1; then 153 | pass "$check_4_2_9" 154 | else 155 | warn "$check_4_2_9" 156 | fi 157 | 158 | check_4_2_10="4.2.10 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" 159 | if check_argument "$CIS_KUBELET_CMD" '--tls-cert-file' >/dev/null 2>&1; then 160 | if check_argument "$CIS_KUBELET_CMD" '--tls-private-key-file' >/dev/null 2>&1; then 161 | cfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-cert-file') 162 | kfile=$(get_argument_value "$CIS_KUBELET_CMD" '--tls-private-key-file') 163 | pass "$check_4_2_10" 164 | pass " * tls-cert-file: $cfile" 165 | pass " * tls-private-key-file: $kfile" 166 | else 167 | warn "$check_4_2_10" 168 | fi 169 | else 170 | warn "$check_4_2_10" 171 | fi 172 | 173 | check_4_2_11="4.2.11 - Ensure that the --rotate-certificates argument is not set to false (Scored)" 174 | if check_argument "$CIS_KUBELET_CMD" '--rotate-certificates=false' >/dev/null 2>&1; then 175 | warn "$check_4_2_11" 176 | else 177 | pass "$check_4_2_11" 178 | fi 179 | 180 | check_4_2_12="4.2.12 - Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" 181 | file="/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" 182 | found=$(sed -rn '/--feature-gates=RotateKubeletServerCertificate=true/p' $file 2>/dev/null) 183 | if [ -z "$found" ]; then 184 | warn "$check_4_2_12" 185 | else 186 | pass "$check_4_2_12" 187 | fi 188 | 189 | check_4_2_13="4.2.13 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" 190 | info "$check_4_2_13" 191 | 192 | -------------------------------------------------------------------------------- /helper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then 4 | bldred='' 5 | bldgrn='' 6 | bldblu='' 7 | bldylw='' 8 | txtrst='' 9 | else 10 | bldred='\033[1;31m' 11 | bldgrn='\033[1;32m' 12 | bldblu='\033[1;34m' 13 | bldylw='\033[1;33m' 14 | txtrst='\033[0m' 15 | fi 16 | 17 | info () { 18 | printf "%b\n" "${bldblu}[INFO]${txtrst} $1" 19 | } 20 | 21 | pass () { 22 | printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" 23 | } 24 | 25 | warn () { 26 | printf "%b\n" "${bldred}[WARN]${txtrst} $1" 27 | } 28 | 29 | yell () { 30 | printf "%b\n" "${bldylw}$1${txtrst}\n" 31 | } 32 | 33 | yell "# ------------------------------------------------------------------------------ 34 | # Kubernetes CIS benchmark 35 | # 36 | # NeuVector, Inc. (c) 2016- 37 | # 38 | # NeuVector delivers an application and network intelligent container security 39 | # solution that automatically adapts to protect running containers. Don’t let 40 | # security concerns slow down your CI/CD processes. 41 | # ------------------------------------------------------------------------------" 42 | 43 | #get a process command line from /proc 44 | get_command_line_args() { 45 | PROC="$1" 46 | len=${#PROC} 47 | if [ $len -gt 15 ]; then 48 | ps aux|grep "$CMD "|grep -v "grep" |sed "s/.*$CMD \(.*\)/\1/g" 49 | else 50 | for PID in $(pgrep -n "$PROC") 51 | do 52 | tr "\0" " " < /proc/"$PID"/cmdline 53 | done 54 | fi 55 | } 56 | 57 | #get an argument value from command line 58 | get_argument_value() { 59 | CMD="$1" 60 | OPTION="$2" 61 | 62 | get_command_line_args "$CMD" | 63 | sed \ 64 | -e 's/\-\-/\n--/g' \ 65 | | 66 | grep "^${OPTION}" | 67 | sed \ 68 | -e "s/^${OPTION}=//g" 69 | } 70 | 71 | #check whether an argument exist in command line 72 | check_argument() { 73 | CMD="$1" 74 | OPTION="$2" 75 | 76 | get_command_line_args "$CMD" | 77 | sed \ 78 | -e 's/\-\-/\n--/g' \ 79 | | 80 | grep "^${OPTION}" 81 | } 82 | 83 | -------------------------------------------------------------------------------- /helper1_4_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then 4 | bldred='' 5 | bldgrn='' 6 | bldblu='' 7 | bldylw='' 8 | bldcyn='' 9 | bldgry='' 10 | txtrst='' 11 | else 12 | bldred='\033[1;31m' 13 | bldgrn='\033[1;32m' 14 | bldblu='\033[1;34m' 15 | bldylw='\033[1;33m' 16 | bldcyn='\033[1;36m' 17 | bldgry='\033[1;37m' 18 | txtrst='\033[0m' 19 | fi 20 | 21 | notScored="1.1.1, 1.1.12, 1.1.13, 1.1.31, 1.4.9, 1.4.10, 1.5.7, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 22 | 1.7.1, 1.7.6, 1.7.7, 2.1.11, 2.1.14" 23 | level2="1.3.6, 1.5.7, 1.6.1, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 24 | 1.7.6, 1.7.7" 25 | 26 | info () { 27 | 28 | s_txt="" 29 | if echo "$1" | grep -q "(Scored)"; then 30 | s_txt="${bldcyn}[Scored]${txtrst}" 31 | elif echo "$1" | grep -q "(Not Scored)"; then 32 | s_txt="${bldcyn}[Not Scored]${txtrst}" 33 | fi 34 | 35 | level_txt="" 36 | if [ ${#s_txt} -ne 0 ]; then 37 | idx=$(echo "$1" | cut -d " " -f 1) 38 | if echo "$level2" | grep -q "\<${idx}\>"; then 39 | level_txt="${bldgry}[Level 2]${txtrst}" 40 | else 41 | level_txt="${bldgry}[Level 1]${txtrst}" 42 | fi 43 | fi 44 | 45 | printf "%b\n" "${bldblu}[INFO]${txtrst}${level_txt}${s_txt} $1" 46 | } 47 | 48 | pass () { 49 | 50 | s_txt="" 51 | if echo "$1" | grep -q "(Scored)"; then 52 | s_txt="${bldcyn}[Scored]${txtrst}" 53 | elif echo "$1" | grep -q "(Not Scored)"; then 54 | s_txt="${bldcyn}[Not Scored]${txtrst}" 55 | fi 56 | 57 | level_txt="" 58 | if [ ${#s_txt} -ne 0 ]; then 59 | idx=$(echo "$1" | cut -d " " -f 1) 60 | if echo "$level2" | grep -q "\<${idx}\>"; then 61 | level_txt="${bldgry}[Level 2]${txtrst}" 62 | else 63 | level_txt="${bldgry}[Level 1]${txtrst}" 64 | fi 65 | fi 66 | 67 | printf "%b\n" "${bldgrn}[PASS]${txtrst}${level_txt}${s_txt} $1" 68 | 69 | } 70 | 71 | warn () { 72 | s_txt="" 73 | if echo "$1" | grep -q "(Scored)"; then 74 | s_txt="${bldcyn}[Scored]${txtrst}" 75 | elif echo "$1" | grep -q "(Not Scored)"; then 76 | s_txt="${bldcyn}[Not Scored]${txtrst}" 77 | fi 78 | 79 | level_txt="" 80 | if [ ${#s_txt} -ne 0 ]; then 81 | idx=$(echo "$1" | cut -d " " -f 1) 82 | if echo "$level2" | grep -q "\<${idx}\>"; then 83 | level_txt="${bldgry}[Level 2]${txtrst}" 84 | else 85 | level_txt="${bldgry}[Level 1]${txtrst}" 86 | fi 87 | fi 88 | 89 | printf "%b\n" "${bldred}[WARN]${txtrst}${level_txt}${s_txt} $1" 90 | 91 | } 92 | 93 | yell () { 94 | printf "%b\n" "${bldylw}$1${txtrst}\n" 95 | } 96 | 97 | yell "# ------------------------------------------------------------------------------ 98 | # Kubernetes CIS benchmark 99 | # 100 | # NeuVector, Inc. (c) 2020- 101 | # 102 | # NeuVector delivers an application and network intelligent container security 103 | # solution that automatically adapts to protect running containers. Don’t let 104 | # security concerns slow down your CI/CD processes. 105 | # ------------------------------------------------------------------------------" 106 | 107 | #get a process command line from /proc 108 | get_command_line_args() { 109 | PROC="$1" 110 | len=${#PROC} 111 | if [ $len -gt 15 ]; then 112 | ps aux|grep "$CMD "|grep -v "grep" |sed "s/.*$CMD \(.*\)/\1/g" 113 | else 114 | for PID in $(pgrep -n "$PROC") 115 | do 116 | tr "\0" " " < /proc/"$PID"/cmdline 117 | done 118 | fi 119 | } 120 | 121 | #get an argument value from command line 122 | get_argument_value() { 123 | CMD="$1" 124 | OPTION="$2" 125 | 126 | get_command_line_args "$CMD" | 127 | sed \ 128 | -e 's/\-\-/\n--/g' \ 129 | | 130 | grep "^${OPTION}" | 131 | sed \ 132 | -e "s/^${OPTION}=//g" 133 | } 134 | 135 | #check whether an argument exist in command line 136 | check_argument() { 137 | CMD="$1" 138 | OPTION="$2" 139 | 140 | get_command_line_args "$CMD" | 141 | sed \ 142 | -e 's/\-\-/\n--/g' \ 143 | | 144 | grep "^${OPTION}" 145 | } 146 | 147 | -------------------------------------------------------------------------------- /helper1_5_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then 4 | bldred='' 5 | bldgrn='' 6 | bldblu='' 7 | bldylw='' 8 | bldcyn='' 9 | bldgry='' 10 | txtrst='' 11 | else 12 | bldred='\033[1;31m' 13 | bldgrn='\033[1;32m' 14 | bldblu='\033[1;34m' 15 | bldylw='\033[1;33m' 16 | bldcyn='\033[1;36m' 17 | bldgry='\033[1;37m' 18 | txtrst='\033[0m' 19 | fi 20 | 21 | level2="1.3.6, 2.7, 3.1.1, 3.2.2, 4.2.9, 5.2.9, 5.3.2, 5.4.2, 5.5.1, 5.7.2, 5.7.3, 5.7.4" 22 | 23 | info () { 24 | 25 | s_txt="" 26 | if echo "$1" | grep -q "(Scored)"; then 27 | s_txt="${bldcyn}[Scored]${txtrst}" 28 | elif echo "$1" | grep -q "(Not Scored)"; then 29 | s_txt="${bldcyn}[Not Scored]${txtrst}" 30 | fi 31 | 32 | level_txt="" 33 | if [ ${#s_txt} -ne 0 ]; then 34 | idx=$(echo "$1" | cut -d " " -f 1) 35 | if echo "$level2" | grep -q "\<${idx}\>"; then 36 | level_txt="${bldgry}[Level 2]${txtrst}" 37 | else 38 | level_txt="${bldgry}[Level 1]${txtrst}" 39 | fi 40 | fi 41 | 42 | printf "%b\n" "${bldblu}[INFO]${txtrst}${level_txt}${s_txt} $1" 43 | } 44 | 45 | pass () { 46 | 47 | s_txt="" 48 | if echo "$1" | grep -q "(Scored)"; then 49 | s_txt="${bldcyn}[Scored]${txtrst}" 50 | elif echo "$1" | grep -q "(Not Scored)"; then 51 | s_txt="${bldcyn}[Not Scored]${txtrst}" 52 | fi 53 | 54 | level_txt="" 55 | if [ ${#s_txt} -ne 0 ]; then 56 | idx=$(echo "$1" | cut -d " " -f 1) 57 | if echo "$level2" | grep -q "\<${idx}\>"; then 58 | level_txt="${bldgry}[Level 2]${txtrst}" 59 | else 60 | level_txt="${bldgry}[Level 1]${txtrst}" 61 | fi 62 | fi 63 | 64 | printf "%b\n" "${bldgrn}[PASS]${txtrst}${level_txt}${s_txt} $1" 65 | 66 | } 67 | 68 | warn () { 69 | s_txt="" 70 | if echo "$1" | grep -q "(Scored)"; then 71 | s_txt="${bldcyn}[Scored]${txtrst}" 72 | elif echo "$1" | grep -q "(Not Scored)"; then 73 | s_txt="${bldcyn}[Not Scored]${txtrst}" 74 | fi 75 | 76 | level_txt="" 77 | if [ ${#s_txt} -ne 0 ]; then 78 | idx=$(echo "$1" | cut -d " " -f 1) 79 | if echo "$level2" | grep -q "\<${idx}\>"; then 80 | level_txt="${bldgry}[Level 2]${txtrst}" 81 | else 82 | level_txt="${bldgry}[Level 1]${txtrst}" 83 | fi 84 | fi 85 | 86 | printf "%b\n" "${bldred}[WARN]${txtrst}${level_txt}${s_txt} $1" 87 | 88 | } 89 | 90 | yell () { 91 | printf "%b\n" "${bldylw}$1${txtrst}\n" 92 | } 93 | 94 | yell "# ------------------------------------------------------------------------------ 95 | # Kubernetes CIS benchmark 96 | # 97 | # NeuVector, Inc. (c) 2020- 98 | # 99 | # NeuVector delivers an application and network intelligent container security 100 | # solution that automatically adapts to protect running containers. Don’t let 101 | # security concerns slow down your CI/CD processes. 102 | # ------------------------------------------------------------------------------" 103 | 104 | #get a process command line from /proc 105 | get_command_line_args() { 106 | PROC="$1" 107 | len=${#PROC} 108 | if [ $len -gt 15 ]; then 109 | ps aux|grep "$CMD "|grep -v "grep" |sed "s/.*$CMD \(.*\)/\1/g" 110 | else 111 | for PID in $(pgrep -n "$PROC") 112 | do 113 | tr "\0" " " < /proc/"$PID"/cmdline 114 | done 115 | fi 116 | } 117 | 118 | #get an argument value from command line 119 | get_argument_value() { 120 | CMD="$1" 121 | OPTION="$2" 122 | 123 | get_command_line_args "$CMD" | 124 | sed \ 125 | -e 's/\-\-/\n--/g' \ 126 | | 127 | grep "^${OPTION}" | 128 | sed \ 129 | -e "s/^${OPTION}=//g" 130 | } 131 | 132 | #check whether an argument exist in command line 133 | check_argument() { 134 | CMD="$1" 135 | OPTION="$2" 136 | 137 | get_command_line_args "$CMD" | 138 | sed \ 139 | -e 's/\-\-/\n--/g' \ 140 | | 141 | grep "^${OPTION}" 142 | } 143 | 144 | -------------------------------------------------------------------------------- /helper1_6_0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then 4 | bldred='' 5 | bldgrn='' 6 | bldblu='' 7 | bldylw='' 8 | bldcyn='' 9 | bldgry='' 10 | txtrst='' 11 | else 12 | bldred='\033[1;31m' 13 | bldgrn='\033[1;32m' 14 | bldblu='\033[1;34m' 15 | bldylw='\033[1;33m' 16 | bldcyn='\033[1;36m' 17 | bldgry='\033[1;37m' 18 | txtrst='\033[0m' 19 | fi 20 | 21 | level2="1.3.6, 2.7, 3.1.1, 3.2.2, 4.2.9, 5.2.9, 5.3.2, 5.4.2, 5.5.1, 5.7.2, 5.7.3, 5.7.4" 22 | not_scored="1.1.9, 1.1.10, 1.1.20, 1.1.21, 1.2.1, 1.2.10, 1.2.12, 1.2.13, 1.2.33, 1.2.34, 1.2.35, 1.3.1, 2.7, 3.1.1, 3.2.2, 4,2.8, 4.2.9, 4.2.13, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.6, 5.2.1, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.3.1, 5.4.1, 5.4.2, 5.5.1, 5.7.1, 5.7.2, 5.7.3" 23 | assessment_manual="1.1.9, 1.1.10, 1.1.20, 1.1.21, 1.2.1, 1.2.10, 1.2.12, 1.2.13, 1.2.33, 1.2.34, 1.2.35, 1.3.1, 2.7, 3.1.1, 3.2.1, 3.2.2, 4.1.3, 4.1.4, 4.1.6, 4.1.7, 4.1.8, 4.2.4, 4.2.5, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.2.12, 4.2.13, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.3.1, 5.3.2, 5.4.1, 5.4.2, 5.5.1, 5.7.1, 5.7.2, 5.7.3, 5.7.4" 24 | 25 | info () { 26 | 27 | s_txt="" 28 | if echo "$1" | grep -q "(Automated)"; then 29 | s_txt="${bldcyn}[Automated]${txtrst}" 30 | elif echo "$1" | grep -q "(Manual)"; then 31 | s_txt="${bldcyn}[Manual]${txtrst}" 32 | fi 33 | 34 | level_info="" 35 | scoring_info="" 36 | if [ ${#s_txt} -ne 0 ]; then 37 | idx=$(echo "$1" | cut -d " " -f 1) 38 | if echo "$level2" | grep -q "\<${idx}\>"; then 39 | level_info="${bldgry}[Level 2]${txtrst}" 40 | else 41 | level_info="${bldgry}[Level 1]${txtrst}" 42 | fi 43 | if echo "$not_scored" | grep -q "\<${idx}\>"; then 44 | scoring_info="${bldgry}[Not Scored]${txtrst}" 45 | else 46 | scoring_info="${bldgry}[Scored]${txtrst}" 47 | fi 48 | fi 49 | 50 | printf "%b\n" "${bldblu}[INFO]${txtrst}${level_info}${s_txt}${scoring_info} $1" 51 | } 52 | 53 | pass () { 54 | 55 | s_txt="" 56 | if echo "$1" | grep -q "(Automated)"; then 57 | s_txt="${bldcyn}[Automated]${txtrst}" 58 | elif echo "$1" | grep -q "(Manual)"; then 59 | s_txt="${bldcyn}[Manual]${txtrst}" 60 | fi 61 | 62 | level_info="" 63 | scoring_info="" 64 | if [ ${#s_txt} -ne 0 ]; then 65 | idx=$(echo "$1" | cut -d " " -f 1) 66 | if echo "$level2" | grep -q "\<${idx}\>"; then 67 | level_info="${bldgry}[Level 2]${txtrst}" 68 | else 69 | level_info="${bldgry}[Level 1]${txtrst}" 70 | fi 71 | if echo "$not_scored" | grep -q "\<${idx}\>"; then 72 | scoring_info="${bldgry}[Not Scored]${txtrst}" 73 | else 74 | scoring_info="${bldgry}[Scored]${txtrst}" 75 | fi 76 | fi 77 | 78 | printf "%b\n" "${bldgrn}[PASS]${txtrst}${level_info}${s_txt}${scoring_info} $1" 79 | 80 | } 81 | 82 | warn () { 83 | s_txt="" 84 | if echo "$1" | grep -q "(Automated)"; then 85 | s_txt="${bldcyn}[Automated]${txtrst}" 86 | elif echo "$1" | grep -q "(Manual)"; then 87 | s_txt="${bldcyn}[Manual]${txtrst}" 88 | fi 89 | 90 | level_info="" 91 | scoring_info="" 92 | if [ ${#s_txt} -ne 0 ]; then 93 | idx=$(echo "$1" | cut -d " " -f 1) 94 | if echo "$level2" | grep -q "\<${idx}\>"; then 95 | level_info="${bldgry}[Level 2]${txtrst}" 96 | else 97 | level_info="${bldgry}[Level 1]${txtrst}" 98 | fi 99 | if echo "$not_scored" | grep -q "\<${idx}\>"; then 100 | scoring_info="${bldgry}[Not Scored]${txtrst}" 101 | else 102 | scoring_info="${bldgry}[Scored]${txtrst}" 103 | fi 104 | fi 105 | 106 | printf "%b\n" "${bldred}[WARN]${txtrst}${level_info}${s_txt}${scoring_info} $1" 107 | 108 | } 109 | 110 | yell () { 111 | printf "%b\n" "${bldylw}$1${txtrst}\n" 112 | } 113 | 114 | yell "# ------------------------------------------------------------------------------ 115 | # Kubernetes CIS benchmark 116 | # 117 | # NeuVector, Inc. (c) 2020- 118 | # 119 | # NeuVector delivers an application and network intelligent container security 120 | # solution that automatically adapts to protect running containers. Don’t let 121 | # security concerns slow down your CI/CD processes. 122 | # ------------------------------------------------------------------------------" 123 | 124 | #get a process command line from /proc 125 | get_command_line_args() { 126 | PROC="$1" 127 | len=${#PROC} 128 | if [ $len -gt 15 ]; then 129 | ps aux|grep "$CMD "|grep -v "grep" |sed "s/.*$CMD \(.*\)/\1/g" 130 | else 131 | for PID in $(pgrep -n "$PROC") 132 | do 133 | tr "\0" " " < /proc/"$PID"/cmdline 134 | done 135 | fi 136 | } 137 | 138 | #get an argument value from command line 139 | get_argument_value() { 140 | CMD="$1" 141 | OPTION="$2" 142 | 143 | get_command_line_args "$CMD" | 144 | sed \ 145 | -e 's/\-\-/\n--/g' \ 146 | | 147 | grep "^${OPTION}" | 148 | sed \ 149 | -e "s/^${OPTION}=//g" 150 | } 151 | 152 | #check whether an argument exist in command line 153 | check_argument() { 154 | CMD="$1" 155 | OPTION="$2" 156 | 157 | get_command_line_args "$CMD" | 158 | sed \ 159 | -e 's/\-\-/\n--/g' \ 160 | | 161 | grep "^${OPTION}" 162 | } 163 | 164 | -------------------------------------------------------------------------------- /helper_gke.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then 4 | bldred='' 5 | bldgrn='' 6 | bldblu='' 7 | bldylw='' 8 | bldcyn='' 9 | bldgry='' 10 | txtrst='' 11 | else 12 | bldred='\033[1;31m' 13 | bldgrn='\033[1;32m' 14 | bldblu='\033[1;34m' 15 | bldylw='\033[1;33m' 16 | bldcyn='\033[1;36m' 17 | bldgry='\033[1;37m' 18 | txtrst='\033[0m' 19 | fi 20 | 21 | level2="1.3.6, 2.7, 3.1.1, 3.2.2, 4.2.9, 5.2.6, 5.2.9, 5.3.2, 5.4.2, 5.6.2, 5.6.3, 5.6.4, 22 | 6.1.4, 6.2.1, 6.4.2, 6.5.1, 6.5.7, 6.6.1, 6.6.4, 6.6.8, 6.7.2, 6.8.3, 6.10.4, 6.10.5" 23 | 24 | info () { 25 | 26 | s_txt="" 27 | if echo "$1" | grep -q "(Scored)"; then 28 | s_txt="${bldcyn}[Scored]${txtrst}" 29 | elif echo "$1" | grep -q "(Not Scored)"; then 30 | s_txt="${bldcyn}[Not Scored]${txtrst}" 31 | fi 32 | 33 | level_txt="" 34 | if [ ${#s_txt} -ne 0 ]; then 35 | idx=$(echo "$1" | cut -d " " -f 1) 36 | if echo "$level2" | grep -q "\<${idx}\>"; then 37 | level_txt="${bldgry}[Level 2]${txtrst}" 38 | else 39 | level_txt="${bldgry}[Level 1]${txtrst}" 40 | fi 41 | fi 42 | 43 | printf "%b\n" "${bldblu}[INFO]${txtrst}${level_txt}${s_txt} $1" 44 | } 45 | 46 | pass () { 47 | 48 | s_txt="" 49 | if echo "$1" | grep -q "(Scored)"; then 50 | s_txt="${bldcyn}[Scored]${txtrst}" 51 | elif echo "$1" | grep -q "(Not Scored)"; then 52 | s_txt="${bldcyn}[Not Scored]${txtrst}" 53 | fi 54 | 55 | level_txt="" 56 | if [ ${#s_txt} -ne 0 ]; then 57 | idx=$(echo "$1" | cut -d " " -f 1) 58 | if echo "$level2" | grep -q "\<${idx}\>"; then 59 | level_txt="${bldgry}[Level 2]${txtrst}" 60 | else 61 | level_txt="${bldgry}[Level 1]${txtrst}" 62 | fi 63 | fi 64 | 65 | printf "%b\n" "${bldgrn}[PASS]${txtrst}${level_txt}${s_txt} $1" 66 | 67 | } 68 | 69 | warn () { 70 | s_txt="" 71 | if echo "$1" | grep -q "(Scored)"; then 72 | s_txt="${bldcyn}[Scored]${txtrst}" 73 | elif echo "$1" | grep -q "(Not Scored)"; then 74 | s_txt="${bldcyn}[Not Scored]${txtrst}" 75 | fi 76 | 77 | level_txt="" 78 | if [ ${#s_txt} -ne 0 ]; then 79 | idx=$(echo "$1" | cut -d " " -f 1) 80 | if echo "$level2" | grep -q "\<${idx}\>"; then 81 | level_txt="${bldgry}[Level 2]${txtrst}" 82 | else 83 | level_txt="${bldgry}[Level 1]${txtrst}" 84 | fi 85 | fi 86 | 87 | printf "%b\n" "${bldred}[WARN]${txtrst}${level_txt}${s_txt} $1" 88 | 89 | } 90 | 91 | yell () { 92 | printf "%b\n" "${bldylw}$1${txtrst}\n" 93 | } 94 | 95 | yell "# ------------------------------------------------------------------------------ 96 | # Kubernetes CIS benchmark 97 | # 98 | # NeuVector, Inc. (c) 2020- 99 | # 100 | # NeuVector delivers an application and network intelligent container security 101 | # solution that automatically adapts to protect running containers. Don’t let 102 | # security concerns slow down your CI/CD processes. 103 | # ------------------------------------------------------------------------------" 104 | 105 | #get a process command line from /proc 106 | get_command_line_args() { 107 | PROC="$1" 108 | len=${#PROC} 109 | if [ $len -gt 15 ]; then 110 | ps aux|grep "$CMD "|grep -v "grep" |sed "s/.*$CMD \(.*\)/\1/g" 111 | else 112 | for PID in $(pgrep -n "$PROC") 113 | do 114 | tr "\0" " " < /proc/"$PID"/cmdline 115 | done 116 | fi 117 | } 118 | 119 | #get an argument value from command line 120 | get_argument_value() { 121 | CMD="$1" 122 | OPTION="$2" 123 | 124 | get_command_line_args "$CMD" | 125 | sed \ 126 | -e 's/\-\-/\n--/g' \ 127 | | 128 | grep "^${OPTION}" | 129 | sed \ 130 | -e "s/^${OPTION}[= ]//g" 131 | } 132 | 133 | #check whether an argument exist in command line 134 | check_argument() { 135 | CMD="$1" 136 | OPTION="$2" 137 | 138 | get_command_line_args "$CMD" | 139 | sed \ 140 | -e 's/\-\-/\n--/g' \ 141 | | 142 | grep "^${OPTION}" 143 | } 144 | 145 | -------------------------------------------------------------------------------- /master.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ------------------------------------------------------------------------------ 3 | # Kubenetes CIS benchmark 4 | # 5 | # Neuvector, Inc. (c) 2016- 6 | # 7 | # ------------------------------------------------------------------------------ 8 | 9 | usage () { 10 | cat </dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 55 | done 56 | 57 | # Load all the audits from master/ and run them 58 | main () { 59 | 60 | for audit in $ver/master/*.sh 61 | do 62 | . ./"$audit" 63 | done 64 | } 65 | 66 | main "$@" 67 | -------------------------------------------------------------------------------- /worker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # ------------------------------------------------------------------------------ 3 | # Kubenetes CIS benchmark 4 | # 5 | # Neuvector, Inc. (c) 2016- 6 | # 7 | # ------------------------------------------------------------------------------ 8 | 9 | usage () { 10 | cat </dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } 52 | done 53 | 54 | # Load all the tests from worker/ and run them 55 | main () { 56 | 57 | for audit in $ver/worker/*.sh 58 | do 59 | . ./"$audit" 60 | done 61 | } 62 | 63 | main "$@" 64 | --------------------------------------------------------------------------------