Skip to content

Commit

Permalink
remove cis 1.2.2 (elastic#69)
Browse files Browse the repository at this point in the history
  • Loading branch information
oren-zohar authored Apr 5, 2022
1 parent 7988484 commit 3f77666
Show file tree
Hide file tree
Showing 59 changed files with 334 additions and 383 deletions.
2 changes: 1 addition & 1 deletion compliance/cis_k8s/rules/cis_1_1_3/rule.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_k8s
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the API server pod specification file permissions are set to 644 or more restrictive
# Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated)
finding = result {
data_adapter.filename == "kube-controller-manager.yaml"
filemode := data_adapter.filemode
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package compliance.cis_k8s.rules.cis_1_2_11
package compliance.cis_k8s.rules.cis_1_2_10

import data.compliance.cis_k8s
import data.compliance.lib.assert
Expand All @@ -25,7 +25,7 @@ metadata = {
"name": "Ensure that the admission control plugin AlwaysAdmit is not set",
"description": "Setting admission control plugin AlwaysAdmit allows all requests and do not filter any requests.",
"impact": "Only requests explicitly allowed by the admissions control plugins would be served.",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.11", "API Server"]),
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.10", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.",
}
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package compliance.cis_k8s.rules.cis_1_2_11
package compliance.cis_k8s.rules.cis_1_2_10

import data.kubernetes_common.test_data
import data.lib.test
Expand Down
38 changes: 38 additions & 0 deletions compliance/cis_k8s/rules/cis_1_2_13/rule.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package compliance.cis_k8s.rules.cis_1_2_13

import data.compliance.cis_k8s
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the admission control plugin ServiceAccount is set (Automated)

# evaluate
process_args := data_adapter.process_args

default rule_evaluation = false

rule_evaluation {
# Verify that the --disable-admission-plugins argument is set to a value that does not includes ServiceAccount.
process_args["--disable-admission-plugins"]
not common.arg_values_contains(process_args, "--disable-admission-plugins", "ServiceAccount")
}

finding = result {
# filter
data_adapter.is_kube_apiserver

# set result
result := {
"evaluation": common.calculate_result(rule_evaluation),
"evidence": {"process_args": process_args},
}
}

metadata = {
"name": "Ensure that the admission control plugin ServiceAccount is set",
"description": "When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.",
"impact": "None",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.13", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.",
}
21 changes: 21 additions & 0 deletions compliance/cis_k8s/rules/cis_1_2_13/test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package compliance.cis_k8s.rules.cis_1_2_13

import data.kubernetes_common.test_data
import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=ServiceAccount")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,ServiceAccount")
}

test_pass {
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=AlwaysDeny")
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,AlwaysDeny")
}

test_not_evaluated {
not finding with input as test_data.process_input("some_process", [])
}

rule_input(argument) = test_data.process_input("kube-apiserver", [argument])
12 changes: 6 additions & 6 deletions compliance/cis_k8s/rules/cis_1_2_14/rule.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,17 @@ import data.compliance.cis_k8s
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the admission control plugin ServiceAccount is set (Automated)
# Ensure that the admission control plugin NamespaceLifecycle is set (Automated)

# evaluate
process_args := data_adapter.process_args

default rule_evaluation = false

rule_evaluation {
# Verify that the --disable-admission-plugins argument is set to a value that does not includes ServiceAccount.
# Verify that the --disable-admission-plugins argument is set to a value that does not include NamespaceLifecycle.
process_args["--disable-admission-plugins"]
not common.arg_values_contains(process_args, "--disable-admission-plugins", "ServiceAccount")
not common.arg_values_contains(process_args, "--disable-admission-plugins", "NamespaceLifecycle")
}

finding = result {
Expand All @@ -29,10 +29,10 @@ finding = result {
}

metadata = {
"name": "Ensure that the admission control plugin ServiceAccount is set",
"description": "When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.",
"name": "Ensure that the admission control plugin NamespaceLifecycle is set",
"description": "Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.",
"impact": "None",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.14", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Follow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.",
"remediation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.",
}
4 changes: 2 additions & 2 deletions compliance/cis_k8s/rules/cis_1_2_14/test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=ServiceAccount")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,ServiceAccount")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,NamespaceLifecycle")
}

test_pass {
Expand Down
24 changes: 8 additions & 16 deletions compliance/cis_k8s/rules/cis_1_2_15/rule.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,15 @@ import data.compliance.cis_k8s
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the admission control plugin NamespaceLifecycle is set (Automated)

# evaluate
process_args := data_adapter.process_args

default rule_evaluation = false

rule_evaluation {
# Verify that the --disable-admission-plugins argument is set to a value that does not include NamespaceLifecycle.
process_args["--disable-admission-plugins"]
not common.arg_values_contains(process_args, "--disable-admission-plugins", "NamespaceLifecycle")
}

# Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
finding = result {
# filter
data_adapter.is_kube_apiserver

# evaluate
process_args := data_adapter.process_args
rule_evaluation := common.arg_values_contains(process_args, "--enable-admission-plugins", "PodSecurityPolicy")

# set result
result := {
"evaluation": common.calculate_result(rule_evaluation),
Expand All @@ -29,9 +21,9 @@ finding = result {
}

metadata = {
"name": "Ensure that the admission control plugin NamespaceLifecycle is set",
"description": "Setting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.",
"impact": "None",
"name": "Ensure that the admission control plugin PodSecurityPolicy is set",
"description": "A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.",
"impact": "The policy objects must be created and granted before pod creation would be allowed.",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.15", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.",
Expand Down
7 changes: 3 additions & 4 deletions compliance/cis_k8s/rules/cis_1_2_15/test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@ import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=LimitRanger,NamespaceLifecycle")
}

test_pass {
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=AlwaysDeny")
test.assert_pass(finding) with input as rule_input("--disable-admission-plugins=PodNodeSelector,AlwaysDeny")
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=LimitRanger,PodSecurityPolicy")
}

test_not_evaluated {
Expand Down
12 changes: 6 additions & 6 deletions compliance/cis_k8s/rules/cis_1_2_16/rule.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ import data.compliance.cis_k8s
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the admission control plugin PodSecurityPolicy is set (Automated)
# Ensure that the admission control plugin NodeRestriction is set (Automated)
finding = result {
# filter
data_adapter.is_kube_apiserver

# evaluate
process_args := data_adapter.process_args
rule_evaluation := common.arg_values_contains(process_args, "--enable-admission-plugins", "PodSecurityPolicy")
rule_evaluation := common.arg_values_contains(process_args, "--enable-admission-plugins", "NodeRestriction")

# set result
result := {
Expand All @@ -21,10 +21,10 @@ finding = result {
}

metadata = {
"name": "Ensure that the admission control plugin PodSecurityPolicy is set",
"description": "A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions.",
"impact": "The policy objects must be created and granted before pod creation would be allowed.",
"name": "Ensure that the admission control plugin NodeRestriction is set",
"description": "Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.",
"impact": "None",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.16", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.",
"remediation": "Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction.",
}
7 changes: 4 additions & 3 deletions compliance/cis_k8s/rules/cis_1_2_16/test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,13 @@ import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=LimitRanger,NamespaceLifecycle")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=AlwaysDeny")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle,AlwaysDeny")
}

test_pass {
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=LimitRanger,PodSecurityPolicy")
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=NodeRestriction")
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle,NodeRestriction")
}

test_not_evaluated {
Expand Down
13 changes: 7 additions & 6 deletions compliance/cis_k8s/rules/cis_1_2_17/rule.rego
Original file line number Diff line number Diff line change
@@ -1,17 +1,18 @@
package compliance.cis_k8s.rules.cis_1_2_17

import data.compliance.cis_k8s
import data.compliance.lib.assert
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the admission control plugin NodeRestriction is set (Automated)
# Ensure that the --insecure-bind-address argument is not set (Automated)
finding = result {
# filter
data_adapter.is_kube_apiserver

# evaluate
process_args := data_adapter.process_args
rule_evaluation := common.arg_values_contains(process_args, "--enable-admission-plugins", "NodeRestriction")
rule_evaluation := assert.is_false(common.contains_key(process_args, "--insecure-bind-address"))

# set result
result := {
Expand All @@ -21,10 +22,10 @@ finding = result {
}

metadata = {
"name": "Ensure that the admission control plugin NodeRestriction is set",
"description": "Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.",
"impact": "None",
"name": "Ensure that the --insecure-bind-address argument is not set",
"description": "The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.",
"impact": "Connections to the API server will require valid authentication credentials.",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.17", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction.",
"remediation": "Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the kubelet client certificate and key parameters",
}
7 changes: 2 additions & 5 deletions compliance/cis_k8s/rules/cis_1_2_17/test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,11 @@ import data.kubernetes_common.test_data
import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=AlwaysDeny")
test.assert_fail(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle,AlwaysDeny")
test.assert_fail(finding) with input as rule_input("--insecure-bind-address=")
}

test_pass {
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=NodeRestriction")
test.assert_pass(finding) with input as rule_input("--enable-admission-plugins=NamespaceLifecycle,NodeRestriction")
test.assert_pass(finding) with input as rule_input("")
}

test_not_evaluated {
Expand Down
13 changes: 6 additions & 7 deletions compliance/cis_k8s/rules/cis_1_2_18/rule.rego
Original file line number Diff line number Diff line change
@@ -1,18 +1,17 @@
package compliance.cis_k8s.rules.cis_1_2_18

import data.compliance.cis_k8s
import data.compliance.lib.assert
import data.compliance.lib.common
import data.compliance.lib.data_adapter

# Ensure that the --insecure-bind-address argument is not set (Automated)
# Ensure that the --insecure-port argument is set to 0 (Automated)
finding = result {
# filter
data_adapter.is_kube_apiserver

# evaluate
process_args := data_adapter.process_args
rule_evaluation := assert.is_false(common.contains_key(process_args, "--insecure-bind-address"))
rule_evaluation := common.contains_key_with_value(process_args, "--insecure-port", "0")

# set result
result := {
Expand All @@ -22,10 +21,10 @@ finding = result {
}

metadata = {
"name": "Ensure that the --insecure-bind-address argument is not set",
"description": "The apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.",
"impact": "Connections to the API server will require valid authentication credentials.",
"name": "Ensure that the --insecure-port argument is set to 0",
"description": "Setting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.",
"impact": "All components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. Including kube-controller-manage, kube-proxy, kube-scheduler, kubelets",
"tags": array.concat(cis_k8s.default_tags, ["CIS 1.2.18", "API Server"]),
"benchmark": cis_k8s.benchmark_metadata,
"remediation": "Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the kubelet client certificate and key parameters",
"remediation": "Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set to --insecure-port=0.",
}
5 changes: 3 additions & 2 deletions compliance/cis_k8s/rules/cis_1_2_18/test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ import data.kubernetes_common.test_data
import data.lib.test

test_violation {
test.assert_fail(finding) with input as rule_input("--insecure-bind-address=")
test.assert_fail(finding) with input as rule_input("")
test.assert_fail(finding) with input as rule_input("--insecure-port=8080")
}

test_pass {
test.assert_pass(finding) with input as rule_input("")
test.assert_pass(finding) with input as rule_input("--insecure-port=0")
}

test_not_evaluated {
Expand Down
Loading

0 comments on commit 3f77666

Please sign in to comment.