Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCP4 CIS: Re-add forgotten rules #10864

Merged
merged 3 commits into from
Jul 19, 2023
Merged

OCP4 CIS: Re-add forgotten rules #10864

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
27047db
CIS: Use the correct rule for 1.1.3
jhrozek Jul 18, 2023
8059360
CIS: Use the automated rule for checking kube scheduler permissions
jhrozek Jul 18, 2023
ac6e08a
CIS: Additional rules for already covered controls
jhrozek Jul 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion applications/openshift/controller/controller_rotate_kubelet_server_certs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ warnings:
of rotation yourself

references:
cis@ocp4: 1.3.6
cis@ocp4: 4.2.11
nerc-cip: CIP-003-8 R4.2,CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R5.1,CIP-007-3 R6.1
nist: CM-6,CM-6(1),SC-8,SC-8(1)
pcidss: Req-2.2
Expand Down
2 changes: 1 addition & 1 deletion applications/openshift/kubelet/kubelet_configure_tls_key/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ platforms:
- (ocp4.9 or ocp4.10 or ocp4.11 or ocp4.12 or ocp4.13) and not ocp4-on-hypershift-hosted

references:
cis@ocp4: 4.2.10
cis@ocp4: 4.2.9
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: SC-8,SC-8(1),SC-8(2)
pcidss: Req-2.2,Req-2.2.3,Req-2.3
Expand Down
4 changes: 2 additions & 2 deletions controls/cis_ocp_1_4_0/section-1.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ controls:
title: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive
status: automated
rules:
- file_permissions_kube_apiserver
- file_permissions_kube_controller_manager
levels: level_1
- id: 1.1.4
title: Ensure that the controller manager pod specification file ownership is set to root:root
Expand All @@ -39,7 +39,7 @@ controls:
title: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
status: automated
rules:
- file_permissions_kube_scheduler
- file_permissions_scheduler
levels: level_1
- id: 1.1.6
title: Ensure that the scheduler pod specification file ownership is set to root:root
Expand Down
4 changes: 4 additions & 0 deletions controls/cis_ocp_1_4_0/section-4.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ controls:
rules:
- file_groupowner_kubelet_conf
- file_owner_kubelet_conf
#- file_groupowner_kubelet
- file_owner_kubelet
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Vincent056 Are these rules still valid? We have file_owner_kubelet that seems reasonable, but file_groupowner_kubelet is missing despite having been used in the original CIS profile. Should we drop the rules or re-add the group one?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like we were missing that one, let's keep this one here, and re-add the group one

levels: level_1
- id: 4.1.7
title: Ensure that the certificate authorities file permissions are set to 644 or more restrictive
Expand Down Expand Up @@ -135,6 +137,7 @@ controls:
status: automated
rules:
- kubelet_configure_tls_cert
- kubelet_configure_tls_key
levels: level_1
- id: 4.2.10
title: Ensure that the --rotate-certificates argument is not set to false
Expand All @@ -148,6 +151,7 @@ controls:
status: automated
rules:
- kubelet_enable_server_cert_rotation
- controller_rotate_kubelet_server_certs
levels: level_1
- id: 4.2.12
title: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
Expand Down