diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh index 1ea0738..ca6f5b4 100644 --- a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh +++ b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-bootstrap-image/bootstrap-script.sh @@ -8,9 +8,13 @@ iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP -# Allow inbound traffic for kubelet (so kubectl logs/exec works) +# 3.4.1.1.1 Allow inbound traffic for kubelet (so kubectl logs/exec works) iptables -I INPUT -p tcp -m tcp --dport 10250 -j ACCEPT +# 3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity +iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT +iptables -I INPUT -d 169.254.170.23/32 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT + # 3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT @@ -32,9 +36,13 @@ ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP -# Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works) +# 3.4.2.1.1 Allow inbound traffic for kubelet on ipv6 if needed (so kubectl logs/exec works) ip6tables -A INPUT -p tcp --destination-port 10250 -j ACCEPT +# 3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity +ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 80 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT +ip6tables -I INPUT -d fd00:ec2::23/128 -p tcp -m tcp --dport 2703 -m comment --comment "Allow communicate with Pod Identity" -j ACCEPT + # 3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated) ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT diff --git a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh index ddf1367..133339e 100644 --- a/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh +++ b/cis-bottlerocket-benchmark-eks/bottlerocket-cis-validating-image/validating-script.sh @@ -8,7 +8,7 @@ echo "This tool validates the Amazon EKS optimized AMI against CIS Bottlerocket Num_Of_Checks_Passed=0 -Total_Num_Of_Checks=26 +Total_Num_Of_Checks=30 function checkSysctlConfig() { @@ -285,6 +285,33 @@ else echo "Error Message: inputChain=$inputChain ForwardChain=$ForwardChain OutputChain=$OutputChain" fi +RECOMMENDATION="3.4.1.1.1 Allow inbound traffic for kubelet" +InputKubeletAccept=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250") +if [[ ! -z "$InputKubeletAccept" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for kubelet not found" +fi +#echo $InputKubeletAccept + + +RECOMMENDATION="3.4.1.1.2 Allow inbound traffic to communicate with Pod Identity" +InputPodIdentityAccept1=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:80") +InputPodIdentityAccept2=$(iptables -L INPUT -v -n | grep "ACCEPT" | grep "169.254.170.23/32" | grep "dpt:2703") +if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found" +fi +#echo $InputPodIdentityAccept + + RECOMMENDATION="3.4.1.2 Ensure IPv4 loopback traffic is configured (Automated)" InputAccept=$(iptables -L INPUT -v -n | grep "ACCEPT all" | awk '{print $8}') if [[ -z "$InputAccept" ]]; @@ -396,6 +423,33 @@ else fi +RECOMMENDATION="3.4.2.1.1 Allow inbound traffic for kubelet" +InputKubeletAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "dpt:10250") +if [[ ! -z "$InputKubeletAccept" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for kubelet not found" +fi +#echo $InputKubeletAccept + + +RECOMMENDATION="3.4.2.1.2 Allow inbound traffic to communicate with Pod Identity" +InputPodIdentityAccept1=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:80") +InputPodIdentityAccept2=$(ip6tables -L INPUT -v -n | grep "ACCEPT" | grep "fd00:ec2::23/128" | grep "dpt:2703") +if [[ ! -z "$InputPodIdentityAccept1" ]] && [[ ! -z "$InputPodIdentityAccept2" ]]; +then + echo "[PASS] $RECOMMENDATION" + Num_Of_Checks_Passed=$((Num_Of_Checks_Passed+1)) +else + echo "[FAIL] $RECOMMENDATION" + echo "Error Message: Rule for allowing inbound traffic for Pod Identity not found" +fi +#echo $InputPodIdentityAccept + + RECOMMENDATION="3.4.2.2 Ensure IPv6 loopback traffic is configured (Automated)" InputAccept=$(ip6tables -L INPUT -v -n | grep "ACCEPT all" | awk '{print $7}') if [[ -z "$InputAccept" ]];