Feature/cis k8s benchmark v1.5.0 (#26)

* start to adpat tests to 1.5.0 doc

Signed-off-by: Alain ROMEYER <[email protected]>

* create structure

Signed-off-by: Alain ROMEYER <[email protected]>

* delet old file

Signed-off-by: Alain ROMEYER <[email protected]>

* 1.5.0 first implementation

Signed-off-by: Alain ROMEYER <[email protected]>

* correct syntax

Signed-off-by: Alain ROMEYER <[email protected]>

* correct syntax

Signed-off-by: Alain ROMEYER <[email protected]>

* correct syntax

Signed-off-by: Alain ROMEYER <[email protected]>

* start to correct controls

Signed-off-by: Alain ROMEYER <[email protected]>

* switch from 1.4.1 to 1.5.0

Signed-off-by: Alain ROMEYER <[email protected]>

* take into account travis build errors

Signed-off-by: Alain ROMEYER <[email protected]>

* take into account travis build errors

Signed-off-by: Alain ROMEYER <[email protected]>

* take into account travis build errors

Signed-off-by: Alain ROMEYER <[email protected]>

* take into account travis build errors

Signed-off-by: Alain ROMEYER <[email protected]>

* fix incorrectly signed off commit

Signed-off-by: Alain ROMEYER <[email protected]>

Co-authored-by: Alain ROMEYER <[email protected]>

Author: aromeyer

README.md

@@ -1,7 +1,8 @@
 # CIS Kubernetes Benchmark - InSpec Profile
 
 ## Description
-This profile implements the [CIS Kubernetes 1.4.1 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
+
+This profile implements the [CIS Kubernetes 1.5.0 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 ## Attributes
 

controls/1_4_master_node_configuration_files.rb controls/1_1_master_node_configuration_files.rb

@@ -1,20 +1,3 @@
-#
-# Copyright 2019, Schuberg Philis B.V.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# author: Kristian Vlaardingerbroek
-
 title '1.3 Master Node: Controller Manager'
 
 controller_manager = attribute('controller_manager')

controls/1_1_master_node_api_server.rb controls/1_2_master_node_api_server.rb

@@ -1,21 +1,4 @@
-#
-# Copyright 2019, Schuberg Philis B.V.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# author: Kristian Vlaardingerbroek
-
-title '1.2 Master Node: Scheduler'
+title '1.4 Master Node: Scheduler'
 
 scheduler = attribute('scheduler')
 # fallback if scheduler attribute is not defined
@@ -25,25 +8,25 @@
   processes(scheduler).exists?
 end
 
-control 'cis-kubernetes-benchmark-1.2.1' do
+control 'cis-kubernetes-benchmark-1.4.1' do
   title 'Ensure that the --profiling argument is set to false'
   desc "Disable profiling, if not needed.\n\nRationale: Profiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface."
   impact 1.0
 
-  tag cis: 'kubernetes:1.2.1'
+  tag cis: 'kubernetes:1.4.1'
   tag level: 1
 
   describe processes(scheduler).commands.to_s do
     it { should match(/--profiling=false/) }
   end
 end
 
-control 'cis-kubernetes-benchmark-1.2.2' do
+control 'cis-kubernetes-benchmark-1.4.2' do
   title 'Ensure that the --address argument is set to 127.0.0.1'
   desc "Do not bind the scheduler service to non-loopback insecure addresses.\n\nRationale: The Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface."
   impact 1.0
 
-  tag cis: 'kubernetes:1.2.2'
+  tag cis: 'kubernetes:1.4.2'
   tag level: 1
 
   describe.one do

controls/1_3_master_node_controller_manager.rb

@@ -1,21 +1,4 @@
-#
-# Copyright 2019, Schuberg Philis B.V.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# author: Kristian Vlaardingerbroek
-
-title '1.5 Master Node: etcd'
+title '2 Etcd Node'
 
 etcd_regex = Regexp.new(%r{/usr/bin/etcd})
 etcd_process = processes(etcd_regex)
@@ -25,12 +8,12 @@
   etcd_process.exists?
 end
 
-control 'cis-kubernetes-benchmark-1.5.1' do
+control 'cis-kubernetes-benchmark:2.1' do
   title 'Ensure that the --cert-file and --key-file arguments are set as appropriate'
   desc "Configure TLS encryption for the etcd service.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.1'
+  tag cis: 'kubernetes:2.1'
   tag level: 1
 
   describe.one do
@@ -54,12 +37,12 @@
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.2' do
+control 'cis-kubernetes-benchmark:2.2' do
   title 'Ensure that the --client-cert-auth argument is set to true'
   desc "Enable client authentication on etcd service.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.2'
+  tag cis: 'kubernetes:2.2'
   tag level: 1
 
   describe.one do
@@ -73,25 +56,25 @@
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.3' do
+control 'cis-kubernetes-benchmark:2.3' do
   title 'Ensure that the --auto-tls argument is not set to true'
   desc "Do not use self-signed certificates for TLS.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.3'
+  tag cis: 'kubernetes:2.3'
   tag level: 1
 
   describe etcd_process.commands.to_s do
     it { should_not match(/--auto-tls=true/) }
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.4' do
+control 'cis-kubernetes-benchmark:2.4' do
   title 'Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate'
   desc "etcd should be configured to make use of TLS encryption for peer connections.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.4'
+  tag cis: 'kubernetes:2.4'
   tag level: 1
 
   describe.one do
@@ -115,12 +98,12 @@
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.5' do
+control 'cis-kubernetes-benchmark:2.5' do
   title 'Ensure that the --peer-client-cert-auth argument is set to true'
   desc "etcd should be configured for peer authentication.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.5'
+  tag cis: 'kubernetes:2.5'
   tag level: 1
 
   describe.one do
@@ -134,30 +117,30 @@
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.6' do
+control 'cis-kubernetes-benchmark:2.6' do
   title 'Ensure that the --peer-auto-tls argument is not set to true'
   desc "Do not use automatically generated self-signed certificates for TLS connections between peers.\n\nRationale: etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication."
   impact 1.0
 
-  tag cis: 'kubernetes:1.5.6'
+  tag cis: 'kubernetes:2.6'
   tag level: 1
 
   describe etcd_process.commands.to_s do
     it { should_not match(/--peer-auto-tls=true/) }
   end
 end
 
-control 'cis-kubernetes-benchmark-1.5.9' do
+control 'cis-kubernetes-benchmark:2.7' do
   title 'Ensure that a unique Certificate Authority is used for etcd'
   desc "Use a different certificate authority for etcd from the one used for Kubernetes.\n\nRationale: etcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. Its access should be restricted to specifically designated clients and peers only.\nAuthentication to etcd is based on whether the certificate presented was issued by a trusted certificate authority. There is no checking of certificate attributes such as common name or subject alternative name. As such, if any attackers were able to gain access to any certificate issued by the trusted certificate authority, they would be able to gain full access to the etcd database."
   impact 0.0
 
-  tag cis: 'kubernetes:1.5.9'
+  tag cis: 'kubernetes:2.7'
   tag level: 2
 
   only_if {  cis_level == 2 }
 
-  describe 'cis-kubernetes-benchmark-1.5.9' do
+  describe 'cis-kubernetes-benchmark:2.7' do
     skip 'Review if the CA used for etcd is different from the one used for Kubernetes'
   end
 end

controls/1_2_master_node_scheduler.rb controls/1_4_master_node_scheduler.rb

@@ -0,0 +1,14 @@
+title '3.1 Control Plane Configuration'
+
+control 'cis-kubernetes-benchmark-3.1.1' do
+  title 'Client certificate authentication should not be used for users'
+  desc "Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose. It is not possible to fully disable client certificate use within a cluster as it is used for component to component authentication.\nRationale: With any authentication mechanism the ability to revoke credentials if they are compromised or no longer required, is a key control. Kubernetes client certificate authentication does not allow for this due to a lack of support for certificate revocation."
+  impact 1.0
+
+  tag cis: 'kubernetes:3.1.1'
+  tag level: 2
+
+  describe 'cis-kubernetes-benchmark-3.1.1' do
+    skip 'Review user access to the cluster and ensure that users are not making use of Kubernetes client certificate authentication.'
+  end
+end