Update for CIS Kubernetes benchmark version 1.2.0

Signed-off-by: Kristian Vlaardingerbroek <[email protected]>

Author: rarenerd

.gitignore

@@ -1,6 +1,8 @@
 **/.librarian
 **/.tmp
 **/Puppetfile.lock
+vendor/
+.bundle
 Gemfile.lock
 Berksfile.lock
 inspec.lock

README.md

@@ -1,7 +1,7 @@
 # CIS Kubernetes Benchmark - InSpec Profile
 
 ## Description
-This profile implements the [CIS Kubernetes 1.1.0 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
+This profile implements the [CIS Kubernetes 1.2.0 Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
 
 ## Attributes
 
@@ -10,6 +10,31 @@ To switch between the CIS profile levels the following attribute can be used:
   * `cis_level: 2`
     define which profile level to use, accepted values are `1` and `2`.
 
+Refer to the [InSpec Profiles Reference](https://www.inspec.io/docs/reference/profiles/) for more information about Profile Attributes.
+
+## Usage
+
+This Compliance Profile requires [InSpec](https://github.com/chef/inspec) for execution:
+
+```
+$ git clone https://github.com/dev-sec/cis-kubernetes-benchmark
+$ inspec exec cis-kubernetes-benchmark
+```
+
+You can also execute the profile directly from Github:
+
+```
+$ inspec exec https://github.com/dev-sec/cis-kubernetes-benchmark
+```
+
+Or execute specific controls instead of all:
+
+```
+$ inspec exec cis-kubernetes-benchmark --controls=cis-kubernetes-benchmark-1.1.2 cis-kubernetes-benchmark-1.3.5
+```
+
+Refer to the [InSpec CLI reference](https://www.inspec.io/docs/reference/cli) for more information.
+
 ## License and Author
 
 * Author:: Kristian Vlaardingerbroek <[email protected]>

controls/1_1_master_node_api_server.rb

@@ -161,7 +161,7 @@
 
   catch(:stop) do
     if etcd_process.exists?
-      if (wal_dir = etcd_process.commands.to_s.scan(/--data-dir=(\S+)/).last)
+      if (wal_dir = etcd_process.commands.first.scan(/--data-dir=(\S+)/).last)
         wal_dir = wal_dir.first
         throw :stop
       end

controls/1_4_master_node_configuration_files.rb

@@ -123,4 +123,17 @@
       skip 'Review the network policies enforced and ensure that they are suitable for your requirements.'
     end
   end
+
+  control 'cis-kubernetes-benchmark-1.6.9' do
+    title 'Place compensating controls in the form of PSP and RBAC for privileged containers usage'
+    desc "Use Pod Security Policies (PSP) and RBAC authorization to mitigate the risk arising from using privileged containers.\n\nRationale: A number of components used by Kubernetes clusters currently make use of privileged containers (e.g. Container Network Interface plugins). Privileged containers pose a risk to the underlying host infrastructure. You should use PSP and RBAC or other forms of authorization to mitigate the risk arising out of such privileged container usage. PSPs should be in place to restrict access to create privileged containers to specific roles only, and access to those roles should be restricted using RBAC role bindings."
+    impact 0.0
+
+    tag cis: 'kubernetes:1.6.9'
+    tag level: 2
+
+    describe 'cis-kubernetes-benchmark-1.6.8' do
+      skip 'Review Pod Security Policies and RBAC authorization.'
+    end
+  end
 end

controls/1_5_master_node_etcd.rb

@@ -18,107 +18,119 @@
 title '2.2 Worker Node: Configuration Files'
 
 control 'cis-kubernetes-benchmark-2.2.1' do
-  title 'Ensure that the config file permissions are set to 644 or more restrictive'
-  desc "Ensure that the `config` file has permissions of `644` or more restrictive.\n\nRationale: The `config` file controls various parameters that set the behavior of various components of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
+  title 'Ensure that the kubelet.conf file permissions are set to 644 or more restrictive'
+  desc "Ensure that the kubelet.conf file has permissions of 644 or more restrictive.\n\nRationale: The kubelet.conf file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.1'
   tag level: 1
 
   only_if do
-    file('/etc/kubernetes/config').exist?
+    file('/etc/kubernetes/kubelet.conf').exist?
   end
 
-  describe file('/etc/kubernetes/config').mode.to_s do
+  describe file('/etc/kubernetes/kubelet.conf').mode.to_s do
     it { should match(/[0246][024][024]/) }
   end
 end
 
 control 'cis-kubernetes-benchmark-2.2.2' do
-  title 'Ensure that the config file ownership is set to root:root'
-  desc "Ensure that the `config` file ownership is set to `root:root`.\n\nRationale: The `config` file controls various parameters that set the behavior of various components of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
+  title 'Ensure that the kubelet.conf file ownership is set to root:root'
+  desc "Ensure that the kubelet.conf file ownership is set to root:root.\n\nRationale: The kubelet.conf file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.2'
   tag level: 1
 
   only_if do
-    file('/etc/kubernetes/config').exist?
+    file('/etc/kubernetes/kubelet.conf').exist?
   end
 
-  describe file('/etc/kubernetes/config') do
+  describe file('/etc/kubernetes/kubelet.conf') do
     it { should be_owned_by 'root' }
     it { should be_grouped_into 'root' }
   end
 end
 
 control 'cis-kubernetes-benchmark-2.2.3' do
-  title 'Ensure that the kubelet file permissions are set to 644 or more restrictive'
-  desc "Ensure that the `kubelet` file has permissions of `644` or more restrictive.\n\nRationale: The `kubelet` file controls various parameters that set the behavior of the `kubelet` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
+  title 'Ensure that the kubelet service file permissions are set to 644 or more restrictive'
+  desc "Ensure that the kubelet service file has permissions of 644 or more restrictive.\n\nRationale: The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.3'
   tag level: 1
 
-  only_if do
-    file('/etc/kubernetes/kubelet').exist?
-  end
-
-  describe file('/etc/kubernetes/kubelet').mode.to_s do
-    it { should match(/[0246][024][024]/) }
+  if file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').exist?
+    describe file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').mode.to_s do
+      it { should match(/[0246][024][024]/) }
+    end
+  else
+    describe 'cis-kubernetes-benchmark-2.2.3' do
+      skip 'Review the permissions on your Kubelet systemd service file.'
+    end
   end
 end
 
 control 'cis-kubernetes-benchmark-2.2.4' do
-  title 'Ensure that the kubelet file ownership is set to root:root'
-  desc "Ensure that the `kubelet` file ownership is set to `root:root`.\n\nRationale: The `kubelet` file controls various parameters that set the behavior of the `kubelet` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
+  title 'Ensure that the kubelet service file ownership is set to root:root'
+  desc "Ensure that the kubelet service file ownership is set to root:root.\n\nRationale: The kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.4'
   tag level: 1
 
-  only_if do
-    file('/etc/kubernetes/kubelet').exist?
-  end
-
-  describe file('/etc/kubernetes/kubelet') do
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'root' }
+  if file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf').exist?
+    describe file('/etc/systemd/system/kubelet.service.d/10-kubeadm.conf') do
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+  else
+    describe 'cis-kubernetes-benchmark-1.4.10' do
+      skip 'Review the ownership of your Kubelet systemd service file.'
+    end
   end
 end
 
 control 'cis-kubernetes-benchmark-2.2.5' do
-  title 'Ensure that the proxy file permissions are set to 644 or more restrictive'
-  desc "Ensure that the `proxy` file has permissions of `644` or more restrictive.\n\nRationale: The `proxy` file controls various parameters that set the behavior of the `kube-proxy` service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
+  title 'Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive'
+  desc "If kube-proxy is running, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\nRationale: The kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.5'
   tag level: 1
 
-  only_if do
-    file('/etc/kubernetes/proxy').exist?
-  end
+  if processes('kube-proxy').exists?
+    conf_file = processes('kube-proxy').commands.first.scan(/--config=(\S+)/).last.first
 
-  describe file('/etc/kubernetes/proxy').mode.to_s do
-    it { should match(/[0246][024][024]/) }
+    describe file(conf_file).mode.to_s do
+      it { should match(/[0246][024][024]/) }
+    end
+  else
+    describe 'cis-kubernetes-benchmark-2.2.5' do
+      skip 'kube-proxy process not found'
+    end
   end
 end
 
 control 'cis-kubernetes-benchmark-2.2.6' do
-  title 'Ensure that the proxy file ownership is set to root:root'
-  desc "Ensure that the `proxy` file ownership is set to `root:root`.\n\nRationale: The `proxy` file controls various parameters that set the behavior of the `kube-proxy` service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`."
+  title 'Ensure that the proxy kubeconfig file ownership is set to root:root'
+  desc "If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\nRationale: The kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root."
   impact 1.0
 
   tag cis: 'kubernetes:2.2.6'
   tag level: 1
 
-  only_if do
-    file('/etc/kubernetes/proxy').exist?
-  end
+  if processes('kube-proxy').exists?
+    conf_file = processes('kube-proxy').commands.first.scan(/--config=(\S+)/).last.first
 
-  describe file('/etc/kubernetes/proxy') do
-    it { should be_owned_by 'root' }
-    it { should be_grouped_into 'root' }
+    describe file(conf_file) do
+      it { should be_owned_by 'root' }
+      it { should be_grouped_into 'root' }
+    end
+  else
+    describe 'cis-kubernetes-benchmark-2.2.6' do
+      skip 'kube-proxy process not found'
+    end
   end
 end
 
@@ -130,15 +142,21 @@
   tag cis: 'kubernetes:2.2.7'
   tag level: 1
 
-  ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S*)/)
-
-  if ca_cert_path.empty?
-    describe 'cis-kubernetes-benchmark-2.2.7' do
-      skip 'No client CA file specified for `kubelet` process'
+  if processes('kubelet').exists?
+    ca_cert_path = processes('kubelet').commands.first.scan(/--client-ca-file=(\S+)/)
+
+    if ca_cert_path.empty?
+      describe 'cis-kubernetes-benchmark-2.2.7' do
+        skip 'No client CA file specified for `kubelet` process'
+      end
+    else
+      describe file(ca_cert_path.last.first).mode.to_s do
+        it { should match(/[0246][024][024]/) }
+      end
     end
   else
-    describe file(ca_cert_path.last.first).mode.to_s do
-      it { should match(/[0246][024][024]/) }
+    describe 'cis-kubernetes-benchmark-2.2.7' do
+      skip 'kubelet process not found'
     end
   end
 end
@@ -151,16 +169,22 @@
   tag cis: 'kubernetes:2.2.8'
   tag level: 1
 
-  ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S*)/)
-
-  if ca_cert_path.empty?
-    describe 'cis-kubernetes-benchmark-2.2.8' do
-      skip 'No client CA file specified for `kubelet` process'
+  if processes('kubelet').exists?
+    ca_cert_path = processes('kubelet').commands.to_s.scan(/--client-ca-file=(\S+)/)
+
+    if ca_cert_path.empty?
+      describe 'cis-kubernetes-benchmark-2.2.8' do
+        skip 'No client CA file specified for `kubelet` process'
+      end
+    else
+      describe file(ca_cert_path.last.first) do
+        it { should be_owned_by 'root' }
+        it { should be_grouped_into 'root' }
+      end
     end
   else
-    describe file(ca_cert_path.last.first) do
-      it { should be_owned_by 'root' }
-      it { should be_grouped_into 'root' }
+    describe 'cis-kubernetes-benchmark-2.2.8' do
+      skip 'kubelet process not found'
     end
   end
 end

controls/1_6_master_node_general_security_primitives.rb

@@ -5,4 +5,4 @@ copyright: Schuberg Philis B.V.
 copyright_email: [email protected]
 license: Apache-2.0
 summary: An InSpec Compliance profile for the CIS Kubernetes Benchmark
-version: 0.2.0
+version: 0.3.0