--- /srv/rebuilderd/tmp/rebuilderdbvKKOP/inputs/ssg-applications_0.1.76-1_all.deb
+++ /srv/rebuilderd/tmp/rebuilderdbvKKOP/out/ssg-applications_0.1.76-1_all.deb
├── file list
│ @@ -1,3 +1,3 @@
│ -rw-r--r-- 0 0 0 4 2025-03-01 08:08:00.000000 debian-binary
│ --rw-r--r-- 0 0 0 1724 2025-03-01 08:08:00.000000 control.tar.xz
│ --rw-r--r-- 0 0 0 151816 2025-03-01 08:08:00.000000 data.tar.xz
│ +-rw-r--r-- 0 0 0 1728 2025-03-01 08:08:00.000000 control.tar.xz
│ +-rw-r--r-- 0 0 0 151772 2025-03-01 08:08:00.000000 data.tar.xz
├── control.tar.xz
│ ├── control.tar
│ │ ├── ./md5sums
│ │ │ ├── ./md5sums
│ │ │ │┄ Files differ
├── data.tar.xz
│ ├── data.tar
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2548,447 +2548,447 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Data Synchronization to Google
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_google_sync_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable the 3D Graphics APIs
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Use of Cleartext Passwords
│ │ │ │ +
│ │ │ │ + Enable the Default Search Provider
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_default_search_provider_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Block Plugins by Default
│ │ │ │
│ │ │ │ ocil:ssg-chromium_default_block_plugins_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable 3rd Party Cookies
│ │ │ │ +
│ │ │ │ + Disable the 3D Graphics APIs
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Prevent Desktop Notifications
│ │ │ │ +
│ │ │ │ + Disable Background Processing
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_block_desktop_notifications_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_background_processing_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Disable Chromium's Ability to Traverse Firewalls
│ │ │ │
│ │ │ │ ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that users cannot change the default search provider, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"SyncDisabled": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DefaultSearchProviderEnabled": true,
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that plugins cannot run automatically, run the following command:
│ │ │ │ +$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultPluginsSetting": 3,
│ │ │ │ + Is it the case that it is not set correctly?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that 3D graphics are disabled, run the following command:
│ │ │ │ $ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "Disable3DAPIs": true,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that background processing is disabled, run the following command:
│ │ │ │ +$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"PasswordManagerAllowShowPasswords": false,
│ │ │ │ - Is it the case that use of cleartext passwords are not disabled?
│ │ │ │ +"BackgroundModeEnabled": false,
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that plugins cannot run automatically, run the following command:
│ │ │ │ -$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that third party cookies are disabled, run the following command:
│ │ │ │ -$ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ +disabled, run the following command:
│ │ │ │ +$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"BlockThirdPartyCookies": true,
│ │ │ │ +"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that the defaut home page is set, run the following command:
│ │ │ │ +$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"HomepageLocation": "",
│ │ │ │ + Is it the case that it is not set correctly?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ +$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AuthSchemes": "",
│ │ │ │ + Is it the case that it is not set?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that desktop notification is
│ │ │ │ disabled, run the following command:
│ │ │ │ $ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "DefaultNotificationsSetting": 2,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that search suggestion is disabled, run the following command:
│ │ │ │ +$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ +"SearchSuggestEnabled": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,447 +3,447 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Data Synchronization to Google
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_google_sync_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable the 3D Graphics APIs
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Use of Cleartext Passwords
│ │ │ │ +
│ │ │ │ + Enable the Default Search Provider
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_default_search_provider_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Block Plugins by Default
│ │ │ │
│ │ │ │ ocil:ssg-chromium_default_block_plugins_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable 3rd Party Cookies
│ │ │ │ +
│ │ │ │ + Disable the 3D Graphics APIs
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Prevent Desktop Notifications
│ │ │ │ +
│ │ │ │ + Disable Background Processing
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_block_desktop_notifications_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_background_processing_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Disable Chromium's Ability to Traverse Firewalls
│ │ │ │
│ │ │ │ ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that users cannot change the default search provider, run the following command:
│ │ │ │ +$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"SyncDisabled": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DefaultSearchProviderEnabled": true,
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that plugins cannot run automatically, run the following command:
│ │ │ │ +$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"DefaultPluginsSetting": 3,
│ │ │ │ + Is it the case that it is not set correctly?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that 3D graphics are disabled, run the following command:
│ │ │ │ $ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "Disable3DAPIs": true,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that background processing is disabled, run the following command:
│ │ │ │ +$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"PasswordManagerAllowShowPasswords": false,
│ │ │ │ - Is it the case that use of cleartext passwords are not disabled?
│ │ │ │ +"BackgroundModeEnabled": false,
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that plugins cannot run automatically, run the following command:
│ │ │ │ -$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that third party cookies are disabled, run the following command:
│ │ │ │ -$ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ +disabled, run the following command:
│ │ │ │ +$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"BlockThirdPartyCookies": true,
│ │ │ │ +"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that the defaut home page is set, run the following command:
│ │ │ │ +$ grep HomepageLocation /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"HomepageLocation": "",
│ │ │ │ + Is it the case that it is not set correctly?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that the HTTP Authentication Scheme is set, run the following command:
│ │ │ │ +$ grep AuthSchemes /etc/chromium/policies/managed/*.json
│ │ │ │ +The output should contain:
│ │ │ │ +"AuthSchemes": "",
│ │ │ │ + Is it the case that it is not set?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that desktop notification is
│ │ │ │ disabled, run the following command:
│ │ │ │ $ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "DefaultNotificationsSetting": 2,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that search suggestion is disabled, run the following command:
│ │ │ │ +$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ +"SearchSuggestEnabled": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2175,305 +2175,305 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Minimize user access to Amazon ECR
│ │ │ │ +
│ │ │ │ + kubelet - Enable Server Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-registry_access_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Use Dedicated Service Accounts
│ │ │ │ +
│ │ │ │ + Ensure Network Policy is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on the Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Audit Logging is Enabled
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-audit_logging_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Ensure that the --read-only-port is secured
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Private Endpoint Access
│ │ │ │ +
│ │ │ │ + Verify Permissions on The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Kubernetes Secrets are Encrypted
│ │ │ │ +
│ │ │ │ + Minimize user access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │ + ocil:ssg-registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Allow Automatic Firewall Configuration
│ │ │ │ +
│ │ │ │ + Ensure Kubernetes Secrets are Encrypted
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │ + ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Ensure authorization is set to Webhook
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Server Certificate Rotation
│ │ │ │ +
│ │ │ │ + Disable Anonymous Authentication to the Kubelet
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Ensure that the --read-only-port is secured
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Consider Fargate for Untrusted Workloads
│ │ │ │ +
│ │ │ │ + Restrict Access to the Control Plane Endpoint
│ │ │ │
│ │ │ │ - ocil:ssg-fargate_action:testaction:1
│ │ │ │ + ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure that application Namespaces have Network Policies defined.
│ │ │ │
│ │ │ │ ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Consider Fargate for Untrusted Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-fargate_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Anonymous Authentication to the Kubelet
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Manage Users with AWS IAM
│ │ │ │ +
│ │ │ │ + Verify Permissions on the Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-iam_integration_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Private Nodes
│ │ │ │
│ │ │ │ ocil:ssg-private_nodes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ kubelet - Configure the Client CA Certificate
│ │ │ │
│ │ │ │ ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure authorization is set to Webhook
│ │ │ │ -
│ │ │ │ - ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Encrypt Traffic to Load Balancers and Workloads
│ │ │ │ +
│ │ │ │ + kubelet - Enable Client Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-configure_tls_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Network Policy is Enabled
│ │ │ │ +
│ │ │ │ + Manage Users with AWS IAM
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │ + ocil:ssg-iam_integration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Allow Automatic Firewall Configuration
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Only use approved container registries
│ │ │ │ +
│ │ │ │ + Encrypt Traffic to Load Balancers and Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ + ocil:ssg-configure_tls_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Private Endpoint Access
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │ + ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Image Vulnerability Scanning
│ │ │ │ +
│ │ │ │ + Use Dedicated Service Accounts
│ │ │ │
│ │ │ │ - ocil:ssg-image_scanning_action:testaction:1
│ │ │ │ + ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │
│ │ │ │ ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + Ensure Audit Logging is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-audit_logging_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Image Vulnerability Scanning
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │ + ocil:ssg-image_scanning_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Client Certificate Rotation
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Protect Kernel Defaults
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Restrict Access to the Control Plane Endpoint
│ │ │ │ +
│ │ │ │ + Only use approved container registries
│ │ │ │
│ │ │ │ - ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │ + ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -2481,31 +2481,31 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -2521,120 +2521,184 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ +automatically when a cluster with Network Policy is created, but for an
│ │ │ │ +existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │ +
│ │ │ │ +Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ +nodes, similar to performing a cluster upgrade. This operation is
│ │ │ │ +long-running and will block other operations on the cluster (including
│ │ │ │ +delete) until it has run to completion.
│ │ │ │ +
│ │ │ │ +If Network Policy is used, a cluster must have at least 2 nodes of type
│ │ │ │ +n1-standard-1 or higher. The recommended minimum size cluster to run
│ │ │ │ +Network Policy enforcement is 3 n1-standard-1 instances.
│ │ │ │ +
│ │ │ │ +Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ +Specifically, it increases the memory footprint of the kube-system
│ │ │ │ +process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ +CPU.
│ │ │ │ + Is it the case that network policy is enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │ +
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ Work with IAM in the IAM User Guide.
│ │ │ │ @@ -2724,154 +2788,122 @@
│ │ │ │ condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ Elastic Container Registry.
│ │ │ │ Is it the case that access to the container image registry is restricted?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ -
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │
│ │ │ │ - Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ - you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ - role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ - permissions to a service account, and only pods that use that service
│ │ │ │ - account have access to those permissions. This feature also eliminates the
│ │ │ │ - need for third-party solutions such as kiam or kube2iam.
│ │ │ │ - Credential isolation — A container can only retrieve credentials for
│ │ │ │ - the IAM role that is associated with the service account to which it
│ │ │ │ - belongs. A container never has access to credentials that are intended for
│ │ │ │ - another container that belongs to another pod.
│ │ │ │ - Auditability — Access and event logging is available through CloudTrail
│ │ │ │ - to help ensure retrospective auditing.
│ │ │ │ +References:
│ │ │ │
│ │ │ │ + https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ + https://eksworkshop.com/beginner/191_secrets/
│ │ │ │
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ - Is it the case that dedicated service accounts are used?
│ │ │ │ + Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ + Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ - Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ + Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │
│ │ │ │
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ and make sure it outputs 0.
│ │ │ │ Is it the case that readOnlyPort is not secured?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ -Endpoint Access for further information on this topic.
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ - Is it the case that private access is enabled and public access is disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ +Input:
│ │ │ │
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ +aws eks describe-cluster \
│ │ │ │ +--region region \
│ │ │ │ +--name clustername
│ │ │ │ +Output:
│ │ │ │ +...
│ │ │ │ +"endpointPublicAccess": false,
│ │ │ │ +"endpointPrivateAccess": true,
│ │ │ │ +"publicAccessCidrs": [
│ │ │ │ +"203.0.113.5/32"
│ │ │ │ +]
│ │ │ │ +...
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ +Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ +can check your current version with aws --version. To install or
│ │ │ │ +upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ +command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ +you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ +single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ +publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ +specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ +requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ +that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ +you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ +recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ +and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ +the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ +include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ +node in a private subnet that communicates to the internet through a NAT
│ │ │ │ +Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ +part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ +CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ +(0.0.0.0/0) IP addresses.
│ │ │ │
│ │ │ │ -References:
│ │ │ │ +Note
│ │ │ │ +The following command enables private access and public access from a single IP address
│ │ │ │ +for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ +separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │
│ │ │ │ - https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ - https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +Example command:
│ │ │ │
│ │ │ │ - Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ +aws eks update-cluster-config \
│ │ │ │ +--region region-code \
│ │ │ │ +--name dev \
│ │ │ │ +--resources-vpc-config \
│ │ │ │ +endpointPublicAccess=true, \
│ │ │ │ +publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ +endpointPrivateAccess=true
│ │ │ │ + Is it the case that the control plane endpoint is secure?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +
│ │ │ │ + Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ + Is it the case that Namespaced Network Policies needs review?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │ Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │
│ │ │ │ aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │ Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -2933,42 +2965,48 @@
│ │ │ │ the specified namespace that also have the infrastructure: fargate
│ │ │ │ Kubernetes label match the selector.
│ │ │ │ On the Review and create page, review the information for your Fargate
│ │ │ │ profile and choose Create.
│ │ │ │
│ │ │ │ Is it the case that untrusted workloads are isolated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ -
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ -
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ - Is it the case that Namespaced Network Policies needs review?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +
│ │ │ │ + To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +$ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ + To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │ +
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ + Is it the case that clusters are created with private nodes?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ - Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ + Is it the case that no client CA certificate has been configured?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ command:
│ │ │ │ @@ -2980,109 +3018,80 @@
│ │ │ │
│ │ │ │ Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ documentation.
│ │ │ │
│ │ │ │ https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ -
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ - Is it the case that clusters are created with private nodes?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ - Is it the case that no client CA certificate has been configured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ - Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │
│ │ │ │
│ │ │ │ For more information about protecting your workloads using TLS please refer
│ │ │ │ to the AWS User Guide:
│ │ │ │
│ │ │ │ https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ -automatically when a cluster with Network Policy is created, but for an
│ │ │ │ -existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │ -
│ │ │ │ -Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ -nodes, similar to performing a cluster upgrade. This operation is
│ │ │ │ -long-running and will block other operations on the cluster (including
│ │ │ │ -delete) until it has run to completion.
│ │ │ │ -
│ │ │ │ -If Network Policy is used, a cluster must have at least 2 nodes of type
│ │ │ │ -n1-standard-1 or higher. The recommended minimum size cluster to run
│ │ │ │ -Network Policy enforcement is 3 n1-standard-1 instances.
│ │ │ │ -
│ │ │ │ -Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ -Specifically, it increases the memory footprint of the kube-system
│ │ │ │ -process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ -CPU.
│ │ │ │ - Is it the case that network policy is enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ + Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ +Endpoint Access for further information on this topic.
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ + Is it the case that private access is enabled and public access is disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure all containers and images are coming from approved registries.
│ │ │ │ -
│ │ │ │ -References:
│ │ │ │ +
│ │ │ │ + Audit:
│ │ │ │
│ │ │ │ -https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ - Is it the case that container images come from approved registries?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ -for enabling Image Scanning.
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │
│ │ │ │ -To create a repository configured for scan on push (AWS CLI)
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │
│ │ │ │ -aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -To edit the settings of an existing repository (AWS CLI)
│ │ │ │ + Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ + you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ + role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ + permissions to a service account, and only pods that use that service
│ │ │ │ + account have access to those permissions. This feature also eliminates the
│ │ │ │ + need for third-party solutions such as kiam or kube2iam.
│ │ │ │ + Credential isolation — A container can only retrieve credentials for
│ │ │ │ + the IAM role that is associated with the service account to which it
│ │ │ │ + belongs. A container never has access to credentials that are intended for
│ │ │ │ + another container that belongs to another pod.
│ │ │ │ + Auditability — Access and event logging is available through CloudTrail
│ │ │ │ + to help ensure retrospective auditing.
│ │ │ │
│ │ │ │ -aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ -
│ │ │ │ -1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ -2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ -3. In the navigation pane, choose Repositories.
│ │ │ │ -4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ -5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ - Is it the case that image vulnerability scanning is enabled?
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ + Is it the case that dedicated service accounts are used?
│ │ │ │
│ │ │ │
│ │ │ │ Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ 3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ required to interact with the cluster - generally this should be read-only.
│ │ │ │
│ │ │ │ @@ -3109,95 +3118,86 @@
│ │ │ │ "Resource": "*"
│ │ │ │ }
│ │ │ │ ]
│ │ │ │ }
│ │ │ │
│ │ │ │ Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Audit:
│ │ │ │ -Input:
│ │ │ │ +
│ │ │ │ + Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │
│ │ │ │ -aws eks describe-cluster \
│ │ │ │ ---region region \
│ │ │ │ ---name clustername
│ │ │ │ -Output:
│ │ │ │ -...
│ │ │ │ -"endpointPublicAccess": false,
│ │ │ │ -"endpointPrivateAccess": true,
│ │ │ │ -"publicAccessCidrs": [
│ │ │ │ -"203.0.113.5/32"
│ │ │ │ -]
│ │ │ │ -...
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ + Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ +for enabling Image Scanning.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ -Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ -can check your current version with aws --version. To install or
│ │ │ │ -upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ -command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ -you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ -single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ -publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ -specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ -requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ -that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ -you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ -recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ -and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ -the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ -include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ -node in a private subnet that communicates to the internet through a NAT
│ │ │ │ -Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ -part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ -CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ -(0.0.0.0/0) IP addresses.
│ │ │ │ +To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │
│ │ │ │ -Note
│ │ │ │ -The following command enables private access and public access from a single IP address
│ │ │ │ -for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ -separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │ +To create a repository configured for scan on push (AWS CLI)
│ │ │ │
│ │ │ │ -Example command:
│ │ │ │ +aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -aws eks update-cluster-config \
│ │ │ │ ---region region-code \
│ │ │ │ ---name dev \
│ │ │ │ ---resources-vpc-config \
│ │ │ │ -endpointPublicAccess=true, \
│ │ │ │ -publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ -endpointPrivateAccess=true
│ │ │ │ - Is it the case that the control plane endpoint is secure?
│ │ │ │ +To edit the settings of an existing repository (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ +
│ │ │ │ +1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ +2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ +3. In the navigation pane, choose Repositories.
│ │ │ │ +4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ +5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ + Is it the case that image vulnerability scanning is enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Ensure all containers and images are coming from approved registries.
│ │ │ │ +
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ +https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ + Is it the case that container images come from approved registries?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,305 +3,305 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Minimize user access to Amazon ECR
│ │ │ │ +
│ │ │ │ + kubelet - Enable Server Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-registry_access_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Use Dedicated Service Accounts
│ │ │ │ +
│ │ │ │ + Ensure Network Policy is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on the Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Audit Logging is Enabled
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-audit_logging_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Ensure that the --read-only-port is secured
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Private Endpoint Access
│ │ │ │ +
│ │ │ │ + Verify Permissions on The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Kubernetes Secrets are Encrypted
│ │ │ │ +
│ │ │ │ + Minimize user access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │ + ocil:ssg-registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Allow Automatic Firewall Configuration
│ │ │ │ +
│ │ │ │ + Ensure Kubernetes Secrets are Encrypted
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │ + ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Ensure authorization is set to Webhook
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Server Certificate Rotation
│ │ │ │ +
│ │ │ │ + Disable Anonymous Authentication to the Kubelet
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Ensure that the --read-only-port is secured
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Consider Fargate for Untrusted Workloads
│ │ │ │ +
│ │ │ │ + Restrict Access to the Control Plane Endpoint
│ │ │ │
│ │ │ │ - ocil:ssg-fargate_action:testaction:1
│ │ │ │ + ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure that application Namespaces have Network Policies defined.
│ │ │ │
│ │ │ │ ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Consider Fargate for Untrusted Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-fargate_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Anonymous Authentication to the Kubelet
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Manage Users with AWS IAM
│ │ │ │ +
│ │ │ │ + Verify Permissions on the Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-iam_integration_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Private Nodes
│ │ │ │
│ │ │ │ ocil:ssg-private_nodes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ kubelet - Configure the Client CA Certificate
│ │ │ │
│ │ │ │ ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure authorization is set to Webhook
│ │ │ │ -
│ │ │ │ - ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Encrypt Traffic to Load Balancers and Workloads
│ │ │ │ +
│ │ │ │ + kubelet - Enable Client Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-configure_tls_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Network Policy is Enabled
│ │ │ │ +
│ │ │ │ + Manage Users with AWS IAM
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │ + ocil:ssg-iam_integration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Allow Automatic Firewall Configuration
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Only use approved container registries
│ │ │ │ +
│ │ │ │ + Encrypt Traffic to Load Balancers and Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ + ocil:ssg-configure_tls_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Private Endpoint Access
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │ + ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Image Vulnerability Scanning
│ │ │ │ +
│ │ │ │ + Use Dedicated Service Accounts
│ │ │ │
│ │ │ │ - ocil:ssg-image_scanning_action:testaction:1
│ │ │ │ + ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │
│ │ │ │ ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + Ensure Audit Logging is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-audit_logging_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Image Vulnerability Scanning
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │ + ocil:ssg-image_scanning_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Client Certificate Rotation
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Protect Kernel Defaults
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Restrict Access to the Control Plane Endpoint
│ │ │ │ +
│ │ │ │ + Only use approved container registries
│ │ │ │
│ │ │ │ - ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │ + ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -309,31 +309,31 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -349,120 +349,184 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ +automatically when a cluster with Network Policy is created, but for an
│ │ │ │ +existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │ +
│ │ │ │ +Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ +nodes, similar to performing a cluster upgrade. This operation is
│ │ │ │ +long-running and will block other operations on the cluster (including
│ │ │ │ +delete) until it has run to completion.
│ │ │ │ +
│ │ │ │ +If Network Policy is used, a cluster must have at least 2 nodes of type
│ │ │ │ +n1-standard-1 or higher. The recommended minimum size cluster to run
│ │ │ │ +Network Policy enforcement is 3 n1-standard-1 instances.
│ │ │ │ +
│ │ │ │ +Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ +Specifically, it increases the memory footprint of the kube-system
│ │ │ │ +process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ +CPU.
│ │ │ │ + Is it the case that network policy is enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │ +
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ Work with IAM in the IAM User Guide.
│ │ │ │ @@ -552,154 +616,122 @@
│ │ │ │ condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ Elastic Container Registry.
│ │ │ │ Is it the case that access to the container image registry is restricted?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ -
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │
│ │ │ │ - Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ - you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ - role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ - permissions to a service account, and only pods that use that service
│ │ │ │ - account have access to those permissions. This feature also eliminates the
│ │ │ │ - need for third-party solutions such as kiam or kube2iam.
│ │ │ │ - Credential isolation — A container can only retrieve credentials for
│ │ │ │ - the IAM role that is associated with the service account to which it
│ │ │ │ - belongs. A container never has access to credentials that are intended for
│ │ │ │ - another container that belongs to another pod.
│ │ │ │ - Auditability — Access and event logging is available through CloudTrail
│ │ │ │ - to help ensure retrospective auditing.
│ │ │ │ +References:
│ │ │ │
│ │ │ │ + https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ + https://eksworkshop.com/beginner/191_secrets/
│ │ │ │
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ - Is it the case that dedicated service accounts are used?
│ │ │ │ + Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ + Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ - Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ + Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │
│ │ │ │
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ and make sure it outputs 0.
│ │ │ │ Is it the case that readOnlyPort is not secured?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ -Endpoint Access for further information on this topic.
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ - Is it the case that private access is enabled and public access is disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ +Input:
│ │ │ │
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ +aws eks describe-cluster \
│ │ │ │ +--region region \
│ │ │ │ +--name clustername
│ │ │ │ +Output:
│ │ │ │ +...
│ │ │ │ +"endpointPublicAccess": false,
│ │ │ │ +"endpointPrivateAccess": true,
│ │ │ │ +"publicAccessCidrs": [
│ │ │ │ +"203.0.113.5/32"
│ │ │ │ +]
│ │ │ │ +...
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ +Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ +can check your current version with aws --version. To install or
│ │ │ │ +upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ +command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ +you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ +single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ +publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ +specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ +requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ +that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ +you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ +recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ +and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ +the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ +include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ +node in a private subnet that communicates to the internet through a NAT
│ │ │ │ +Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ +part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ +CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ +(0.0.0.0/0) IP addresses.
│ │ │ │
│ │ │ │ -References:
│ │ │ │ +Note
│ │ │ │ +The following command enables private access and public access from a single IP address
│ │ │ │ +for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ +separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │
│ │ │ │ - https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ - https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +Example command:
│ │ │ │
│ │ │ │ - Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ +aws eks update-cluster-config \
│ │ │ │ +--region region-code \
│ │ │ │ +--name dev \
│ │ │ │ +--resources-vpc-config \
│ │ │ │ +endpointPublicAccess=true, \
│ │ │ │ +publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ +endpointPrivateAccess=true
│ │ │ │ + Is it the case that the control plane endpoint is secure?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +
│ │ │ │ + Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ + Is it the case that Namespaced Network Policies needs review?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │ Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │
│ │ │ │ aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │ Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -761,42 +793,48 @@
│ │ │ │ the specified namespace that also have the infrastructure: fargate
│ │ │ │ Kubernetes label match the selector.
│ │ │ │ On the Review and create page, review the information for your Fargate
│ │ │ │ profile and choose Create.
│ │ │ │
│ │ │ │ Is it the case that untrusted workloads are isolated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ -
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ -
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ -
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ - Is it the case that Namespaced Network Policies needs review?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +
│ │ │ │ + To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +$ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following permissions:
│ │ │ │ +-rw-r--r--
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ + To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │ +
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ + Is it the case that clusters are created with private nodes?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ - Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ + Is it the case that no client CA certificate has been configured?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ command:
│ │ │ │ @@ -808,109 +846,80 @@
│ │ │ │
│ │ │ │ Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ documentation.
│ │ │ │
│ │ │ │ https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ -
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ - Is it the case that clusters are created with private nodes?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ - Is it the case that no client CA certificate has been configured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ - Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │
│ │ │ │
│ │ │ │ For more information about protecting your workloads using TLS please refer
│ │ │ │ to the AWS User Guide:
│ │ │ │
│ │ │ │ https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ -automatically when a cluster with Network Policy is created, but for an
│ │ │ │ -existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │ -
│ │ │ │ -Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ -nodes, similar to performing a cluster upgrade. This operation is
│ │ │ │ -long-running and will block other operations on the cluster (including
│ │ │ │ -delete) until it has run to completion.
│ │ │ │ -
│ │ │ │ -If Network Policy is used, a cluster must have at least 2 nodes of type
│ │ │ │ -n1-standard-1 or higher. The recommended minimum size cluster to run
│ │ │ │ -Network Policy enforcement is 3 n1-standard-1 instances.
│ │ │ │ -
│ │ │ │ -Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ -Specifically, it increases the memory footprint of the kube-system
│ │ │ │ -process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ -CPU.
│ │ │ │ - Is it the case that network policy is enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ + Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ +Endpoint Access for further information on this topic.
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ + Is it the case that private access is enabled and public access is disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure all containers and images are coming from approved registries.
│ │ │ │ -
│ │ │ │ -References:
│ │ │ │ +
│ │ │ │ + Audit:
│ │ │ │
│ │ │ │ -https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ - Is it the case that container images come from approved registries?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ -for enabling Image Scanning.
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │
│ │ │ │ -To create a repository configured for scan on push (AWS CLI)
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │
│ │ │ │ -aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -To edit the settings of an existing repository (AWS CLI)
│ │ │ │ + Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ + you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ + role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ + permissions to a service account, and only pods that use that service
│ │ │ │ + account have access to those permissions. This feature also eliminates the
│ │ │ │ + need for third-party solutions such as kiam or kube2iam.
│ │ │ │ + Credential isolation — A container can only retrieve credentials for
│ │ │ │ + the IAM role that is associated with the service account to which it
│ │ │ │ + belongs. A container never has access to credentials that are intended for
│ │ │ │ + another container that belongs to another pod.
│ │ │ │ + Auditability — Access and event logging is available through CloudTrail
│ │ │ │ + to help ensure retrospective auditing.
│ │ │ │
│ │ │ │ -aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ -
│ │ │ │ -1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ -2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ -3. In the navigation pane, choose Repositories.
│ │ │ │ -4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ -5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ - Is it the case that image vulnerability scanning is enabled?
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ + Is it the case that dedicated service accounts are used?
│ │ │ │
│ │ │ │
│ │ │ │ Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ 3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ required to interact with the cluster - generally this should be read-only.
│ │ │ │
│ │ │ │ @@ -937,91 +946,82 @@
│ │ │ │ "Resource": "*"
│ │ │ │ }
│ │ │ │ ]
│ │ │ │ }
│ │ │ │
│ │ │ │ Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following permissions:
│ │ │ │ --rw-r--r--
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Audit:
│ │ │ │ -Input:
│ │ │ │ +
│ │ │ │ + Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │
│ │ │ │ -aws eks describe-cluster \
│ │ │ │ ---region region \
│ │ │ │ ---name clustername
│ │ │ │ -Output:
│ │ │ │ -...
│ │ │ │ -"endpointPublicAccess": false,
│ │ │ │ -"endpointPrivateAccess": true,
│ │ │ │ -"publicAccessCidrs": [
│ │ │ │ -"203.0.113.5/32"
│ │ │ │ -]
│ │ │ │ -...
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ + Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ +for enabling Image Scanning.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ -Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ -can check your current version with aws --version. To install or
│ │ │ │ -upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ -command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ -you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ -single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ -publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ -specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ -requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ -that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ -you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ -recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ -and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ -the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ -include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ -node in a private subnet that communicates to the internet through a NAT
│ │ │ │ -Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ -part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ -CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ -(0.0.0.0/0) IP addresses.
│ │ │ │ +To utilize AWS ECR for Image scanning please follow the steps below:
│ │ │ │
│ │ │ │ -Note
│ │ │ │ -The following command enables private access and public access from a single IP address
│ │ │ │ -for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ -separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │ +To create a repository configured for scan on push (AWS CLI)
│ │ │ │
│ │ │ │ -Example command:
│ │ │ │ +aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
│ │ │ │
│ │ │ │ -aws eks update-cluster-config \
│ │ │ │ ---region region-code \
│ │ │ │ ---name dev \
│ │ │ │ ---resources-vpc-config \
│ │ │ │ -endpointPublicAccess=true, \
│ │ │ │ -publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ -endpointPrivateAccess=true
│ │ │ │ - Is it the case that the control plane endpoint is secure?
│ │ │ │ +To edit the settings of an existing repository (AWS CLI)
│ │ │ │ +
│ │ │ │ +aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
│ │ │ │ +
│ │ │ │ +Use the following steps to start a manual image scan using the AWS Management Console.
│ │ │ │ +
│ │ │ │ +1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ +2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ +3. In the navigation pane, choose Repositories.
│ │ │ │ +4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ +5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ + Is it the case that image vulnerability scanning is enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Ensure all containers and images are coming from approved registries.
│ │ │ │ +
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ +https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ + Is it the case that container images come from approved registries?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -5207,199 +5207,199 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Supported Version of Firefox Installed
│ │ │ │ +
│ │ │ │ + Enabled Firefox Cryptomining protection
│ │ │ │
│ │ │ │ - ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Studies
│ │ │ │ +
│ │ │ │ + Enable Firefox Pop-up Blocker
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │ +
│ │ │ │ + Disabled Firefox Extension Recommendations
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Enable Shared System Certificates
│ │ │ │
│ │ │ │ ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Firefox autoplay must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Enable Certificate Verification
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + Disable Installed Search Plugins Update Checking
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + Disable auto-download for proscribed MIME types.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disabled Firefox Extension Recommendations
│ │ │ │ +
│ │ │ │ + Firefox search suggestions must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Pocket
│ │ │ │ +
│ │ │ │ + Firefox must prevent the user from quickly deleting data.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │ +
│ │ │ │ + Enabled Firefox Enhanced Tracking Protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must prevent the user from quickly deleting data.
│ │ │ │ +
│ │ │ │ + Disable Firefox network prediction
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Firefox Pop-up Blocker
│ │ │ │ +
│ │ │ │ + Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox deprecated ciphers
│ │ │ │ +
│ │ │ │ + The DoD Root Certificate Exists
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Firefox private browsing must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-private_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Development Tools
│ │ │ │ +
│ │ │ │ + Supported Version of Firefox Installed
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │ + ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox network prediction
│ │ │ │ +
│ │ │ │ + Disable Firefox Development Tools
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - The DoD Root Certificate Exists
│ │ │ │ +
│ │ │ │ + Disable Firefox Studies
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Disable Firefox Telemetry
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox search suggestions must be disabled.
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Enabled Firefox Cryptomining protection
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable auto-download for proscribed MIME types.
│ │ │ │ +
│ │ │ │ + Disable Firefox Pocket
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Installed Search Plugins Update Checking
│ │ │ │ +
│ │ │ │ + Disable Firefox deprecated ciphers
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -5407,414 +5407,414 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ +
│ │ │ │ + To verify that cryptomining protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ -a yum server which provides updates, invoking the following command will
│ │ │ │ -indicate if updates are available:
│ │ │ │ -$ sudo yum check-update
│ │ │ │ -If the system is not configured to update from one of these sources,
│ │ │ │ -run the following command to list when each package was last updated:
│ │ │ │ -$ rpm -qa -last
│ │ │ │ -Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │ -
│ │ │ │ - https://access.redhat.com/security/updates/active/
│ │ │ │ -to determine if the system is missing applicable updates.
│ │ │ │ - Is it the case that it is not updated?
│ │ │ │ +
│ │ │ │ + To verify that pop-up blocker is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ +The output should include:
│ │ │ │ +"Default": true
│ │ │ │ +"Locked": true
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Studies is disabled,
│ │ │ │ +
│ │ │ │ + To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableFirefoxStudies": true
│ │ │ │ +The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ +"Value": false
│ │ │ │ +"Status": "locked"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that the central system cerificate authority store is enabled,
│ │ │ │ run the following command:
│ │ │ │ $ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ The output should return something similar to:
│ │ │ │ lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +" "installation_mode":"normal_installed",
│ │ │ │ +" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +" "updates_disabled":false}
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under Permissions -> Autoplay:
│ │ │ │ "Default": "block-audio-video"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under security.default_personal_cert:
│ │ │ │ Value: "Ask Every Time"
│ │ │ │ Status: "locked"
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +
│ │ │ │ + To verify that checks for installed search plugin updates are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -" "installation_mode":"normal_installed",
│ │ │ │ -" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -" "updates_disabled":false}
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that any proscribed file types are configured for automatic download,
│ │ │ │ +type "about:preferences" into the search bar, then
│ │ │ │ +type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ +If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ +is an application that does or can execute the code, this is a finding.
│ │ │ │ +If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ +
│ │ │ │ + HTA
│ │ │ │ + JSE
│ │ │ │ + JS
│ │ │ │ + MOCHA
│ │ │ │ + SHS
│ │ │ │ + VBE
│ │ │ │ + VBS
│ │ │ │ + SCT
│ │ │ │ + WSC
│ │ │ │ + FDF
│ │ │ │ + XFDF
│ │ │ │ + LSL
│ │ │ │ + LSO
│ │ │ │ + LSS
│ │ │ │ + IQY
│ │ │ │ + RQY
│ │ │ │ + DOS
│ │ │ │ + BAT
│ │ │ │ + PS
│ │ │ │ + EPS
│ │ │ │ + WCH
│ │ │ │ + WCM
│ │ │ │ + WB1
│ │ │ │ + WB3
│ │ │ │ + WCH
│ │ │ │ + WCM
│ │ │ │ + AD
│ │ │ │ +
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that fingerprinting protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ +The output should have the following:
│ │ │ │ +"SearchSuggestEnabled": false
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that enhanced tracking protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that users cannot access the forget button,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableForgetButon": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ -"Value": false
│ │ │ │ +The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ "Status": "locked"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Pocket is disabled,
│ │ │ │ +
│ │ │ │ + To verify that network prediction is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisablePocket": true
│ │ │ │ - Is it the case that ?
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that certificate verification is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "ExtensionUpdate": false
│ │ │ │ Status: "locked"
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that users cannot access the forget button,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableForgetButon": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that pop-up blocker is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ -The output should include:
│ │ │ │ -"Default": true
│ │ │ │ -"Locked": true
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ + To verify that the DoD root certificate is installed,
│ │ │ │ +list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ +and compare them to the DoD root certificate. If there is a match
│ │ │ │ +to the DoD root certificate, then the DoD root certificate is
│ │ │ │ +installed.
│ │ │ │ + Is it the case that it is not installed?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that deprecated ciphers are disabled,
│ │ │ │ +
│ │ │ │ + To verify that fingerprinting protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that private browsing is disabled
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ "DisablePrivateBrowsing": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ +
│ │ │ │ + If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ +a yum server which provides updates, invoking the following command will
│ │ │ │ +indicate if updates are available:
│ │ │ │ +$ sudo yum check-update
│ │ │ │ +If the system is not configured to update from one of these sources,
│ │ │ │ +run the following command to list when each package was last updated:
│ │ │ │ +$ rpm -qa -last
│ │ │ │ +Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │ +
│ │ │ │ + https://access.redhat.com/security/updates/active/
│ │ │ │ +to determine if the system is missing applicable updates.
│ │ │ │ + Is it the case that it is not updated?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that Firefox Development Tools are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisableDeveloperTools": true,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that network prediction is disabled,
│ │ │ │ +
│ │ │ │ + To verify that Studies is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that the DoD root certificate is installed,
│ │ │ │ -list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ -and compare them to the DoD root certificate. If there is a match
│ │ │ │ -to the DoD root certificate, then the DoD root certificate is
│ │ │ │ -installed.
│ │ │ │ - Is it the case that it is not installed?
│ │ │ │ +"DisableFirefoxStudies": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that Firefox telemetry is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisableTelemetry": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that search suggestions are disabled,
│ │ │ │ +
│ │ │ │ + To verify that Pocket is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"SearchSuggestEnabled": false
│ │ │ │ +"DisablePocket": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that cryptomining protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that deprecated ciphers are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that any proscribed file types are configured for automatic download,
│ │ │ │ -type "about:preferences" into the search bar, then
│ │ │ │ -type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ -If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ -is an application that does or can execute the code, this is a finding.
│ │ │ │ -If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ -
│ │ │ │ - HTA
│ │ │ │ - JSE
│ │ │ │ - JS
│ │ │ │ - MOCHA
│ │ │ │ - SHS
│ │ │ │ - VBE
│ │ │ │ - VBS
│ │ │ │ - SCT
│ │ │ │ - WSC
│ │ │ │ - FDF
│ │ │ │ - XFDF
│ │ │ │ - LSL
│ │ │ │ - LSO
│ │ │ │ - LSS
│ │ │ │ - IQY
│ │ │ │ - RQY
│ │ │ │ - DOS
│ │ │ │ - BAT
│ │ │ │ - PS
│ │ │ │ - EPS
│ │ │ │ - WCH
│ │ │ │ - WCM
│ │ │ │ - WB1
│ │ │ │ - WB3
│ │ │ │ - WCH
│ │ │ │ - WCM
│ │ │ │ - AD
│ │ │ │ -
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that checks for installed search plugin updates are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ build_cpe.py from SCAP Security Guide
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,199 +3,199 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Supported Version of Firefox Installed
│ │ │ │ +
│ │ │ │ + Enabled Firefox Cryptomining protection
│ │ │ │
│ │ │ │ - ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Studies
│ │ │ │ +
│ │ │ │ + Enable Firefox Pop-up Blocker
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │ +
│ │ │ │ + Disabled Firefox Extension Recommendations
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Enable Shared System Certificates
│ │ │ │
│ │ │ │ ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Firefox autoplay must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │
│ │ │ │ Enable Certificate Verification
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + Disable Installed Search Plugins Update Checking
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + Disable auto-download for proscribed MIME types.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disabled Firefox Extension Recommendations
│ │ │ │ +
│ │ │ │ + Firefox search suggestions must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Pocket
│ │ │ │ +
│ │ │ │ + Firefox must prevent the user from quickly deleting data.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │ +
│ │ │ │ + Enabled Firefox Enhanced Tracking Protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must prevent the user from quickly deleting data.
│ │ │ │ +
│ │ │ │ + Disable Firefox network prediction
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Firefox Pop-up Blocker
│ │ │ │ +
│ │ │ │ + Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox deprecated ciphers
│ │ │ │ +
│ │ │ │ + The DoD Root Certificate Exists
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Firefox private browsing must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-private_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Development Tools
│ │ │ │ +
│ │ │ │ + Supported Version of Firefox Installed
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │ + ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox network prediction
│ │ │ │ +
│ │ │ │ + Disable Firefox Development Tools
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - The DoD Root Certificate Exists
│ │ │ │ +
│ │ │ │ + Disable Firefox Studies
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Disable Firefox Telemetry
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox search suggestions must be disabled.
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Enabled Firefox Cryptomining protection
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable auto-download for proscribed MIME types.
│ │ │ │ +
│ │ │ │ + Disable Firefox Pocket
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Installed Search Plugins Update Checking
│ │ │ │ +
│ │ │ │ + Disable Firefox deprecated ciphers
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -203,409 +203,409 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ +
│ │ │ │ + To verify that cryptomining protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ -a yum server which provides updates, invoking the following command will
│ │ │ │ -indicate if updates are available:
│ │ │ │ -$ sudo yum check-update
│ │ │ │ -If the system is not configured to update from one of these sources,
│ │ │ │ -run the following command to list when each package was last updated:
│ │ │ │ -$ rpm -qa -last
│ │ │ │ -Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │ -
│ │ │ │ - https://access.redhat.com/security/updates/active/
│ │ │ │ -to determine if the system is missing applicable updates.
│ │ │ │ - Is it the case that it is not updated?
│ │ │ │ +
│ │ │ │ + To verify that pop-up blocker is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ +The output should include:
│ │ │ │ +"Default": true
│ │ │ │ +"Locked": true
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Studies is disabled,
│ │ │ │ +
│ │ │ │ + To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableFirefoxStudies": true
│ │ │ │ +The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ +"Value": false
│ │ │ │ +"Status": "locked"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that the central system cerificate authority store is enabled,
│ │ │ │ run the following command:
│ │ │ │ $ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ The output should return something similar to:
│ │ │ │ lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +" "installation_mode":"normal_installed",
│ │ │ │ +" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +" "updates_disabled":false}
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under Permissions -> Autoplay:
│ │ │ │ "Default": "block-audio-video"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under security.default_personal_cert:
│ │ │ │ Value: "Ask Every Time"
│ │ │ │ Status: "locked"
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ +
│ │ │ │ + To verify that checks for installed search plugin updates are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -" "installation_mode":"normal_installed",
│ │ │ │ -" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -" "updates_disabled":false}
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that any proscribed file types are configured for automatic download,
│ │ │ │ +type "about:preferences" into the search bar, then
│ │ │ │ +type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ +If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ +is an application that does or can execute the code, this is a finding.
│ │ │ │ +If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ +
│ │ │ │ + HTA
│ │ │ │ + JSE
│ │ │ │ + JS
│ │ │ │ + MOCHA
│ │ │ │ + SHS
│ │ │ │ + VBE
│ │ │ │ + VBS
│ │ │ │ + SCT
│ │ │ │ + WSC
│ │ │ │ + FDF
│ │ │ │ + XFDF
│ │ │ │ + LSL
│ │ │ │ + LSO
│ │ │ │ + LSS
│ │ │ │ + IQY
│ │ │ │ + RQY
│ │ │ │ + DOS
│ │ │ │ + BAT
│ │ │ │ + PS
│ │ │ │ + EPS
│ │ │ │ + WCH
│ │ │ │ + WCM
│ │ │ │ + WB1
│ │ │ │ + WB3
│ │ │ │ + WCH
│ │ │ │ + WCM
│ │ │ │ + AD
│ │ │ │ +
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that fingerprinting protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ +The output should have the following:
│ │ │ │ +"SearchSuggestEnabled": false
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that enhanced tracking protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that users cannot access the forget button,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableForgetButon": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ -"Value": false
│ │ │ │ +The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ "Status": "locked"
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Pocket is disabled,
│ │ │ │ +
│ │ │ │ + To verify that network prediction is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisablePocket": true
│ │ │ │ - Is it the case that ?
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that certificate verification is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "ExtensionUpdate": false
│ │ │ │ Status: "locked"
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that users cannot access the forget button,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableForgetButon": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that pop-up blocker is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ -The output should include:
│ │ │ │ -"Default": true
│ │ │ │ -"Locked": true
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ + To verify that the DoD root certificate is installed,
│ │ │ │ +list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ +and compare them to the DoD root certificate. If there is a match
│ │ │ │ +to the DoD root certificate, then the DoD root certificate is
│ │ │ │ +installed.
│ │ │ │ + Is it the case that it is not installed?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that deprecated ciphers are disabled,
│ │ │ │ +
│ │ │ │ + To verify that fingerprinting protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that private browsing is disabled
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ "DisablePrivateBrowsing": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ +
│ │ │ │ + If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ +a yum server which provides updates, invoking the following command will
│ │ │ │ +indicate if updates are available:
│ │ │ │ +$ sudo yum check-update
│ │ │ │ +If the system is not configured to update from one of these sources,
│ │ │ │ +run the following command to list when each package was last updated:
│ │ │ │ +$ rpm -qa -last
│ │ │ │ +Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │ +
│ │ │ │ + https://access.redhat.com/security/updates/active/
│ │ │ │ +to determine if the system is missing applicable updates.
│ │ │ │ + Is it the case that it is not updated?
│ │ │ │ +
│ │ │ │
│ │ │ │ To verify that Firefox Development Tools are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisableDeveloperTools": true,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that network prediction is disabled,
│ │ │ │ +
│ │ │ │ + To verify that Studies is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that the DoD root certificate is installed,
│ │ │ │ -list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ -and compare them to the DoD root certificate. If there is a match
│ │ │ │ -to the DoD root certificate, then the DoD root certificate is
│ │ │ │ -installed.
│ │ │ │ - Is it the case that it is not installed?
│ │ │ │ +"DisableFirefoxStudies": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that Firefox telemetry is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisableTelemetry": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that search suggestions are disabled,
│ │ │ │ +
│ │ │ │ + To verify that Pocket is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"SearchSuggestEnabled": false
│ │ │ │ +"DisablePocket": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that cryptomining protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that deprecated ciphers are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that any proscribed file types are configured for automatic download,
│ │ │ │ -type "about:preferences" into the search bar, then
│ │ │ │ -type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ -If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ -is an application that does or can execute the code, this is a finding.
│ │ │ │ -If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding.
│ │ │ │ -
│ │ │ │ - HTA
│ │ │ │ - JSE
│ │ │ │ - JS
│ │ │ │ - MOCHA
│ │ │ │ - SHS
│ │ │ │ - VBE
│ │ │ │ - VBS
│ │ │ │ - SCT
│ │ │ │ - WSC
│ │ │ │ - FDF
│ │ │ │ - XFDF
│ │ │ │ - LSL
│ │ │ │ - LSO
│ │ │ │ - LSS
│ │ │ │ - IQY
│ │ │ │ - RQY
│ │ │ │ - DOS
│ │ │ │ - BAT
│ │ │ │ - PS
│ │ │ │ - EPS
│ │ │ │ - WCH
│ │ │ │ - WCM
│ │ │ │ - WB1
│ │ │ │ - WB3
│ │ │ │ - WCH
│ │ │ │ - WCM
│ │ │ │ - AD
│ │ │ │ -
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that checks for installed search plugin updates are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │