Skip to content

Commit

Permalink
Adapt policies.yaml
Browse files Browse the repository at this point in the history 
	- 5.1.11 typo in sub-resource name 'certificatesigningrequest' https://workbench.cisecurity.org/tickets/21352
	- 5.2.2 new audit to verify if a container is privileged or not. https://workbench.cisecurity.org/tickets/20919
	- 5.2.3 new audit to verify the presence of hostPID opt-in across all pods. https://workbench.cisecurity.org/tickets/20919
	- 5.2.4 new audit to verify the presence of hostIPC opt-in across all pods. https://workbench.cisecurity.org/tickets/20923
	- 5.2.5 new audit to verify the presence of hostNetwork opt-in across all pods. https://workbench.cisecurity.org/tickets/20921
	- 5.2.6 new audit to verify the presence of 'allowPrivilegeEscalation' to true across all pods' container(s)
	- 5.2.6 the 'allowPrivilegeEscalation' setting is moved from 'spec' to 'securityContext' https://workbench.cisecurity.org/tickets/20922
	- 5.2.9 new audit to verify the presence of added capabilities across all pods' container(s)
  • Loading branch information
@andypitcher
andypitcher committed Dec 25, 2024
1 parent f195197 commit eea3c6d
Showing 1 changed file with 162 additions and 7 deletions.
169 changes: 162 additions & 7 deletions cfg/cis-1.10/policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ groups:
text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"
type: "manual"
remediation: |
Where possible, remove access to the approval sub-resource of certificatesigningrequest objects.
Where possible, remove access to the approval sub-resource of certificatesigningrequests objects.
scored: false

- id: 5.1.12
Expand Down Expand Up @@ -222,42 +222,158 @@ groups:

- id: 5.2.2
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve container(s) for each Pod.
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
do
# Retrieve container's name.
container_name=$(echo ${container} | jq -r '.name')
# Retrieve container's .securityContext.privileged value.
container_privileged=$(echo ${container} | jq -r '.securityContext.privileged' | sed -e 's/null/notset/g')
if [ "${container_privileged}" = "false" ] || [ "${container_privileged}" = "notset" ] ; then
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_privileged: ${container_privileged} is_compliant: true"
else
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_privileged: ${container_privileged} is_compliant: false"
fi
done
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of privileged containers.
Audit: the audit list all pods' containers to retrieve their .securityContext.privileged value.
Condition: is_compliant is false if container's `.securityContext.privileged` is set to `true`.
Default: by default, there are no restrictions on the creation of privileged containers.
scored: false

- id: 5.2.3
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve spec.hostPID for each pod.
pod_hostpid=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostPID}' 2>/dev/null)
if [ -z "${pod_hostpid}" ]; then
pod_hostpid="false"
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostpid: ${pod_hostpid} is_compliant: true"
else
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostpid: ${pod_hostpid} is_compliant: false"
fi
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostPID` containers.
Audit: the audit retrieves each Pod' spec.hostPID.
Condition: is_compliant is false if Pod's spec.hostPID is set to `true`.
Default: by default, there are no restrictions on the creation of hostPID containers.
scored: false

- id: 5.2.4
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve spec.hostIPC for each pod.
pod_hostipc=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostIPC}' 2>/dev/null)
if [ -z "${pod_hostipc}" ]; then
pod_hostipc="false"
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostipc: ${pod_hostipc} is_compliant: true"
else
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostipc: ${pod_hostipc} is_compliant: false"
fi
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostIPC` containers.
Audit: the audit retrieves each Pod' spec.IPC.
Condition: is_compliant is false if Pod's spec.hostIPC is set to `true`.
Default: by default, there are no restrictions on the creation of hostIPC containers.
scored: false

- id: 5.2.5
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve spec.hostNetwork for each pod.
pod_hostnetwork=$(kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o jsonpath='{.spec.hostNetwork}' 2>/dev/null)
if [ -z "${pod_hostnetwork}" ]; then
pod_hostnetwork="false"
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostnetwork: ${pod_hostnetwork} is_compliant: true"
else
echo "***pod_name: ${pod_name} pod_namespace: ${pod_namespace} is_pod_hostnetwork: ${pod_hostnetwork} is_compliant: false"
fi
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostNetwork` containers.
Audit: the audit retrieves each Pod' spec.hostNetwork.
Condition: is_compliant is false if Pod's spec.hostNetwork is set to `true`.
Default: by default, there are no restrictions on the creation of hostNetwork containers.
scored: false

- id: 5.2.6
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve container(s) for each Pod.
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
do
# Retrieve container's name
container_name=$(echo ${container} | jq -r '.name')
# Retrieve container's .securityContext.allowPrivilegeEscalation
container_allowprivesc=$(echo ${container} | jq -r '.securityContext.allowPrivilegeEscalation' | sed -e 's/null/notset/g')
if [ "${container_allowprivesc}" = "false" ] || [ "${container_allowprivesc}" = "notset" ]; then
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_allowprivesc: ${container_allowprivesc} is_compliant: true"
else
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} is_container_allowprivesc: ${container_allowprivesc} is_compliant: false"
fi
done
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
Audit: the audit retrieves each Pod's container(s) `.spec.allowPrivilegeEscalation`.
Condition: is_compliant is false if container's `.spec.allowPrivilegeEscalation` is set to `true`.
Default: If notset, privilege escalation is allowed (default to true). However if PSP/PSA is used with a `restricted` profile,
privilege escalation is explicitly disallowed unless configured otherwise.
scored: false

- id: 5.2.7
Expand All @@ -278,10 +394,49 @@ groups:

- id: 5.2.9
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
audit: |
kubectl get pods --all-namespaces -o custom-columns=POD_NAME:.metadata.name,POD_NAMESPACE:.metadata.namespace --no-headers | while read -r pod_name pod_namespace
do
# Retrieve container(s) for each Pod.
kubectl get pod "${pod_name}" --namespace "${pod_namespace}" -o json | jq -c '.spec.containers[]' | while read -r container
do
# Retrieve container's name
container_name=$(echo ${container} | jq -r '.name')
# Retrieve container's added capabilities
container_caps_add=$(echo ${container} | jq -r '.securityContext.capabilities.add' | sed -e 's/null/notset/g')
# Set is_compliant to true by default.
is_compliant=true
caps_list=""
#
if [ "${container_caps_add}" != "notset" ]; then
# Loop through all caps and append caps_list, then set is_compliant to false.
for cap in $(echo "${container_caps_add}" | jq -r '.[]'); do
caps_list+="${cap},"
is_compliant=false
done
# Remove trailing comma for the last list member.
caps_list=${caps_list%,}
fi
if [ "${is_compliant}" = true ]; then
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} container_caps_add: ${container_caps_add} is_compliant: true"
else
echo "***pod_name: ${pod_name} container_name: ${container_name} pod_namespace: ${pod_namespace} container_caps_add: ${caps_list} is_compliant: false"
fi
done
done
use_multiple_values: true
tests:
test_items:
- flag: "is_compliant"
compare:
op: eq
value: true
remediation: |
Ensure that `allowedCapabilities` is not present in policies for the cluster unless
it is set to an empty array.
Audit: the audit retrieves each Pod's container(s) added capabilities.
Condition: is_compliant is false if added capabilities are added for a given container.
Default: Containers run with a default set of capabilities as assigned by the Container Runtime.
scored: false

- id: 5.2.10
Expand Down

0 comments on commit eea3c6d

Please sign in to comment.