--- /srv/rebuilderd/tmp/rebuilderd7e6cDs/inputs/ssg-applications_0.1.76-1_all.deb
+++ /srv/rebuilderd/tmp/rebuilderd7e6cDs/out/ssg-applications_0.1.76-1_all.deb
├── file list
│ @@ -1,3 +1,3 @@
│ -rw-r--r-- 0 0 0 4 2025-03-01 08:08:00.000000 debian-binary
│ -rw-r--r-- 0 0 0 1724 2025-03-01 08:08:00.000000 control.tar.xz
│ --rw-r--r-- 0 0 0 151816 2025-03-01 08:08:00.000000 data.tar.xz
│ +-rw-r--r-- 0 0 0 151804 2025-03-01 08:08:00.000000 data.tar.xz
├── control.tar.xz
│ ├── control.tar
│ │ ├── ./md5sums
│ │ │ ├── ./md5sums
│ │ │ │┄ Files differ
├── data.tar.xz
│ ├── data.tar
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2548,800 +2548,800 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Data Synchronization to Google
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_google_sync_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable the 3D Graphics APIs
│ │ │ │ +
│ │ │ │ + Disable Saved Passwords
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_saved_passwords_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Use of Cleartext Passwords
│ │ │ │ +
│ │ │ │ + Enable the Safe Browsing Feature
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_enable_safe_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Block Plugins by Default
│ │ │ │
│ │ │ │ ocil:ssg-chromium_default_block_plugins_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable 3rd Party Cookies
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Prevent Desktop Notifications
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_block_desktop_notifications_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Chromium's Ability to Traverse Firewalls
│ │ │ │ +
│ │ │ │ + Disable All Plugins by Default
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"SyncDisabled": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that 3D graphics are disabled, run the following command:
│ │ │ │ -$ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that importing passwords is disabled, run the following command:
│ │ │ │ +$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"Disable3DAPIs": true,
│ │ │ │ +"ImportSavedPasswords": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ +$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"PasswordManagerAllowShowPasswords": false,
│ │ │ │ - Is it the case that use of cleartext passwords are not disabled?
│ │ │ │ +"SafeBrowsingEnabled": true,
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that plugins cannot run automatically, run the following command:
│ │ │ │ $ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "DefaultPluginsSetting": 3,
│ │ │ │ Is it the case that it is not set correctly?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that third party cookies are disabled, run the following command:
│ │ │ │ -$ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"BlockThirdPartyCookies": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that desktop notification is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"DefaultNotificationsSetting": 2,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that all plugins are blacklisted, run the following command:
│ │ │ │ +$ grep DisabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DisabledPlugins": ["*"],
│ │ │ │ + Is it the case that they are not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ build_cpe.py from SCAP Security Guide
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,795 +3,795 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Data Synchronization to Google
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_google_sync_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable the 3D Graphics APIs
│ │ │ │ +
│ │ │ │ + Disable Saved Passwords
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_3d_graphics_api_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_saved_passwords_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Use of Cleartext Passwords
│ │ │ │ +
│ │ │ │ + Enable the Safe Browsing Feature
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_enable_safe_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Block Plugins by Default
│ │ │ │
│ │ │ │ ocil:ssg-chromium_default_block_plugins_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable 3rd Party Cookies
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Prevent Desktop Notifications
│ │ │ │ -
│ │ │ │ - ocil:ssg-chromium_block_desktop_notifications_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Chromium's Ability to Traverse Firewalls
│ │ │ │ +
│ │ │ │ + Disable All Plugins by Default
│ │ │ │
│ │ │ │ - ocil:ssg-chromium_disable_firewall_traversal_action:testaction:1
│ │ │ │ + ocil:ssg-chromium_disable_plugin_blacklist_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that data synchronization is disabled, run the following command:
│ │ │ │ -$ grep SyncDisabled /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"SyncDisabled": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that 3D graphics are disabled, run the following command:
│ │ │ │ -$ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that importing passwords is disabled, run the following command:
│ │ │ │ +$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"Disable3DAPIs": true,
│ │ │ │ +"ImportSavedPasswords": false,
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the use of cleartext passwords is disabled, run the following command:
│ │ │ │ -$ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that the safe browsing feature is enabled, run the following command:
│ │ │ │ +$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"PasswordManagerAllowShowPasswords": false,
│ │ │ │ - Is it the case that use of cleartext passwords are not disabled?
│ │ │ │ +"SafeBrowsingEnabled": true,
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that plugins cannot run automatically, run the following command:
│ │ │ │ $ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ "DefaultPluginsSetting": 3,
│ │ │ │ Is it the case that it is not set correctly?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that third party cookies are disabled, run the following command:
│ │ │ │ -$ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"BlockThirdPartyCookies": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that desktop notification is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
│ │ │ │ -The output should contain:
│ │ │ │ -"DefaultNotificationsSetting": 2,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Chromium's abililty to traverse the system firewall is
│ │ │ │ -disabled, run the following command:
│ │ │ │ -$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
│ │ │ │ +
│ │ │ │ + To verify that all plugins are blacklisted, run the following command:
│ │ │ │ +$ grep DisabledPlugins /etc/chromium/policies/managed/*.json
│ │ │ │ The output should contain:
│ │ │ │ -"RemoteAccessHostFirewallTraversal": false,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DisabledPlugins": ["*"],
│ │ │ │ + Is it the case that they are not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -2175,703 +2175,572 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Minimize user access to Amazon ECR
│ │ │ │ -
│ │ │ │ - ocil:ssg-registry_access_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Use Dedicated Service Accounts
│ │ │ │ -
│ │ │ │ - ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + kubelet - Configure the Client CA Certificate
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on the Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Client Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Audit Logging is Enabled
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-audit_logging_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Ensure that the --read-only-port is secured
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Private Endpoint Access
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Kubernetes Secrets are Encrypted
│ │ │ │ +
│ │ │ │ + Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │ + ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Allow Automatic Firewall Configuration
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Verify Permissions on the Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Server Certificate Rotation
│ │ │ │ +
│ │ │ │ + Manage Users with AWS IAM
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-iam_integration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Consider Fargate for Untrusted Workloads
│ │ │ │
│ │ │ │ ocil:ssg-fargate_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure that application Namespaces have Network Policies defined.
│ │ │ │ +
│ │ │ │ + Ensure Kubernetes Secrets are Encrypted
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │ + ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Server Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Anonymous Authentication to the Kubelet
│ │ │ │ +
│ │ │ │ + Restrict Access to the Control Plane Endpoint
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │ + ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Manage Users with AWS IAM
│ │ │ │ +
│ │ │ │ + Ensure Network Policy is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-iam_integration_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Private Nodes
│ │ │ │
│ │ │ │ ocil:ssg-private_nodes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Configure the Client CA Certificate
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure authorization is set to Webhook
│ │ │ │ +
│ │ │ │ + Minimize user access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │ + ocil:ssg-registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Encrypt Traffic to Load Balancers and Workloads
│ │ │ │ +
│ │ │ │ + Only use approved container registries
│ │ │ │
│ │ │ │ - ocil:ssg-configure_tls_action:testaction:1
│ │ │ │ + ocil:ssg-approved_registries_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Network Policy is Enabled
│ │ │ │ +
│ │ │ │ + kubelet - Ensure that the --read-only-port is secured
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Only use approved container registries
│ │ │ │ +
│ │ │ │ + Ensure Image Vulnerability Scanning
│ │ │ │
│ │ │ │ - ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ + ocil:ssg-image_scanning_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + kubelet - Allow Automatic Firewall Configuration
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Image Vulnerability Scanning
│ │ │ │ +
│ │ │ │ + Ensure that application Namespaces have Network Policies defined.
│ │ │ │
│ │ │ │ - ocil:ssg-image_scanning_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │ +
│ │ │ │ + Disable Anonymous Authentication to the Kubelet
│ │ │ │
│ │ │ │ - ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + Verify Permissions on The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Private Endpoint Access
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │ + ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Client Certificate Rotation
│ │ │ │ +
│ │ │ │ + Ensure Audit Logging is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-audit_logging_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + Encrypt Traffic to Load Balancers and Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-configure_tls_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Restrict Access to the Control Plane Endpoint
│ │ │ │ +
│ │ │ │ + Use Dedicated Service Accounts
│ │ │ │
│ │ │ │ - ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │ + ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Ensure authorization is set to Webhook
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Remediation:
│ │ │ │ -
│ │ │ │ -Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ -IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ -of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ -Work with IAM in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Topics
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -Amazon ECR Identity-Based Policies
│ │ │ │ -Amazon ECR Resource-Based Policies
│ │ │ │ -Authorization Based on Amazon ECR Tags
│ │ │ │ -Amazon ECR IAM Roles
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -Amazon ECR Identity-Based Policies
│ │ │ │ -
│ │ │ │ -With IAM identity-based policies, you can specify allowed or denied actions
│ │ │ │ -and resources as well as the conditions under which actions are allowed or
│ │ │ │ -denied. Amazon ECR supports specific actions, resources, and condition keys.
│ │ │ │ -To learn about all of the elements that you use in a JSON policy, see IAM
│ │ │ │ -JSON Policy Elements Reference in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Actions
│ │ │ │ -
│ │ │ │ -The Action element of an IAM identity-based policy describes the specific
│ │ │ │ -action or actions that will be allowed or denied by the policy. Policy
│ │ │ │ -actions usually have the same name as the associated AWS API operation. The
│ │ │ │ -action is used in a policy to grant permissions to perform the associated
│ │ │ │ -operation.
│ │ │ │ -
│ │ │ │ -Policy actions in Amazon ECR use the following prefix before the action:
│ │ │ │ -ecr:. For example, to grant someone permission to create an Amazon ECR
│ │ │ │ -repository with the Amazon ECR CreateRepository API operation, you include
│ │ │ │ -the ecr:CreateRepository action in their policy. Policy statements must
│ │ │ │ -include either an Action or NotAction element. Amazon ECR defines its own set
│ │ │ │ -of actions that describe tasks that you can perform with this service. To
│ │ │ │ -specify multiple actions in a single statement, separate them with commas as
│ │ │ │ -follows: "Action": [ "ecr:action1", "ecr:action2" You can specify
│ │ │ │ -multiple actions using wildcards (*). For example, to specify all
│ │ │ │ -actions that begin with the word Describe, include the following action:
│ │ │ │ -"Action": "ecr:Describe*" To see a list of Amazon ECR actions, see
│ │ │ │ -Actions, Resources, and Condition Keys for Amazon Elastic Container
│ │ │ │ -Registry in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Resources
│ │ │ │ -
│ │ │ │ -The Resource element specifies the object or objects to which the action
│ │ │ │ -applies. Statements must include either a Resource or a NotResource element.
│ │ │ │ -You specify a resource using an ARN or using the wildcard (*) to
│ │ │ │ -indicate that the statement applies to all resources.
│ │ │ │ -
│ │ │ │ -An Amazon ECR repository resource has the following ARN:
│ │ │ │ -arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
│ │ │ │ -For more information about the format of ARNs, see Amazon Resource Names
│ │ │ │ -(ARNs) and AWS Service Namespaces.
│ │ │ │ -For example, to specify the my-repo repository in the us-east-1 Region in
│ │ │ │ -your statement, use the following ARN:
│ │ │ │ -"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
│ │ │ │ -To specify all repositories that belong to a specific account, use the
│ │ │ │ -wildcard (*): "Resource":
│ │ │ │ -"arn:aws:ecr:us-east-1:123456789012:repository/*"
│ │ │ │ -To specify multiple resources in a single statement, separate the ARNs with
│ │ │ │ -commas. "Resource": [ "resource1", "resource2"
│ │ │ │ -To see a list of Amazon ECR resource types and their ARNs, see Resources
│ │ │ │ -Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
│ │ │ │ -with which actions you can specify the ARN of each resource, see Actions
│ │ │ │ -Defined by Amazon Elastic Container Registry.
│ │ │ │ -
│ │ │ │ -Condition Keys
│ │ │ │ -
│ │ │ │ -The Condition element (or Condition block) lets you specify conditions in
│ │ │ │ -which a statement is in effect. The Condition element is optional. You can
│ │ │ │ -build conditional expressions that use condition operators, such as equals or
│ │ │ │ -less than, to match the condition in the policy with values in the request.
│ │ │ │ -If you specify multiple Condition elements in a statement, or multiple keys
│ │ │ │ -in a single Condition element, AWS evaluates them using a logical AND
│ │ │ │ -operation. If you specify multiple values for a single condition key, AWS
│ │ │ │ -evaluates the condition using a logical OR operation. All of the conditions
│ │ │ │ -must be met before the statement's permissions are granted.
│ │ │ │ -You can also use placeholder variables when you specify conditions. For
│ │ │ │ -example, you can grant an IAM user permission to access a resource only if it
│ │ │ │ -is tagged with their IAM user name. For more information, see IAM Policy
│ │ │ │ -Elements: Variables and Tags in the IAM User Guide.
│ │ │ │ -Amazon ECR defines its own set of condition keys and also supports using some global
│ │ │ │ -condition keys. To see all AWS global condition keys, see AWS Global Condition Context
│ │ │ │ -Keys in the IAM User Guide.
│ │ │ │ -Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
│ │ │ │ -condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ -see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ -Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ -and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ -Elastic Container Registry.
│ │ │ │ - Is it the case that access to the container image registry is restricted?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ + Is it the case that no client CA certificate has been configured?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Audit:
│ │ │ │ -
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ +to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ +3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ +required to interact with the cluster - generally this should be read-only.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ +You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ +the following prerequisites.
│ │ │ │ +The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ +worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ +ECR.
│ │ │ │
│ │ │ │
│ │ │ │ - Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ - you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ - role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ - permissions to a service account, and only pods that use that service
│ │ │ │ - account have access to those permissions. This feature also eliminates the
│ │ │ │ - need for third-party solutions such as kiam or kube2iam.
│ │ │ │ - Credential isolation — A container can only retrieve credentials for
│ │ │ │ - the IAM role that is associated with the service account to which it
│ │ │ │ - belongs. A container never has access to credentials that are intended for
│ │ │ │ - another container that belongs to another pod.
│ │ │ │ - Auditability — Access and event logging is available through CloudTrail
│ │ │ │ - to help ensure retrospective auditing.
│ │ │ │ -
│ │ │ │ +{
│ │ │ │ + "Version": "2012-10-17",
│ │ │ │ + "Statement": [
│ │ │ │ + {
│ │ │ │ + "Effect": "Allow",
│ │ │ │ + "Action": [
│ │ │ │ + "ecr:BatchCheckLayerAvailability",
│ │ │ │ + "ecr:BatchGetImage",
│ │ │ │ + "ecr:GetDownloadUrlForLayer",
│ │ │ │ + "ecr:GetAuthorizationToken"
│ │ │ │ + ],
│ │ │ │ + "Resource": "*"
│ │ │ │ + }
│ │ │ │ + ]
│ │ │ │ +}
│ │ │ │
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ - Is it the case that dedicated service accounts are used?
│ │ │ │ + Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ + To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │
│ │ │ │
│ │ │ │ To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ run the command:
│ │ │ │ $ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ If properly configured, the output should indicate the following permissions:
│ │ │ │ -rw-r--r--
│ │ │ │ Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ - Is it the case that audit logging is enable?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ -and make sure it outputs 0.
│ │ │ │ - Is it the case that readOnlyPort is not secured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ -Endpoint Access for further information on this topic.
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ - Is it the case that private access is enabled and public access is disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ +yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ +command:
│ │ │ │
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +$ kubectl get role -n $NAMESPACE
│ │ │ │ +The response lists the RBAC role that has access to this Namespace.
│ │ │ │
│ │ │ │ -References:
│ │ │ │ +Remediation:
│ │ │ │
│ │ │ │ - https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ - https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ +documentation.
│ │ │ │
│ │ │ │ - Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ + Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │ Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │
│ │ │ │ aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │ Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -2933,89 +2802,94 @@
│ │ │ │ the specified namespace that also have the infrastructure: fargate
│ │ │ │ Kubernetes label match the selector.
│ │ │ │ On the Review and create page, review the information for your Fargate
│ │ │ │ profile and choose Create.
│ │ │ │
│ │ │ │ Is it the case that untrusted workloads are isolated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ +
│ │ │ │ + Audit:
│ │ │ │
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +Remediation:
│ │ │ │
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ - Is it the case that Namespaced Network Policies needs review?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ + https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ + https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +
│ │ │ │ + Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ - Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ +Input:
│ │ │ │
│ │ │ │ -To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ -yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ -command:
│ │ │ │ -
│ │ │ │ -$ kubectl get role -n $NAMESPACE
│ │ │ │ -The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +aws eks describe-cluster \
│ │ │ │ +--region region \
│ │ │ │ +--name clustername
│ │ │ │ +Output:
│ │ │ │ +...
│ │ │ │ +"endpointPublicAccess": false,
│ │ │ │ +"endpointPrivateAccess": true,
│ │ │ │ +"publicAccessCidrs": [
│ │ │ │ +"203.0.113.5/32"
│ │ │ │ +]
│ │ │ │ +...
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ +Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ +can check your current version with aws --version. To install or
│ │ │ │ +upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ -documentation.
│ │ │ │ +Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ +command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ +you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ +single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ +publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ +specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ +requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ +that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ +you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ +recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ +and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ +the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ +include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ +node in a private subnet that communicates to the internet through a NAT
│ │ │ │ +Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ +part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ +CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ +(0.0.0.0/0) IP addresses.
│ │ │ │
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ - Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ +Note
│ │ │ │ +The following command enables private access and public access from a single IP address
│ │ │ │ +for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ +separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ - Is it the case that clusters are created with private nodes?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ - Is it the case that no client CA certificate has been configured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ - Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - For more information about protecting your workloads using TLS please refer
│ │ │ │ -to the AWS User Guide:
│ │ │ │ +Example command:
│ │ │ │
│ │ │ │ -https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ - Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │ +aws eks update-cluster-config \
│ │ │ │ +--region region-code \
│ │ │ │ +--name dev \
│ │ │ │ +--resources-vpc-config \
│ │ │ │ +endpointPublicAccess=true, \
│ │ │ │ +publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ +endpointPrivateAccess=true
│ │ │ │ + Is it the case that the control plane endpoint is secure?
│ │ │ │
│ │ │ │
│ │ │ │ Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ automatically when a cluster with Network Policy is created, but for an
│ │ │ │ existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │
│ │ │ │ Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ @@ -3029,35 +2903,147 @@
│ │ │ │
│ │ │ │ Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ Specifically, it increases the memory footprint of the kube-system
│ │ │ │ process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ CPU.
│ │ │ │ Is it the case that network policy is enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ + To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │ +
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ + Is it the case that clusters are created with private nodes?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Remediation:
│ │ │ │ +
│ │ │ │ +Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ +IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ +of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ +Work with IAM in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Topics
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +Amazon ECR Identity-Based Policies
│ │ │ │ +Amazon ECR Resource-Based Policies
│ │ │ │ +Authorization Based on Amazon ECR Tags
│ │ │ │ +Amazon ECR IAM Roles
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +Amazon ECR Identity-Based Policies
│ │ │ │ +
│ │ │ │ +With IAM identity-based policies, you can specify allowed or denied actions
│ │ │ │ +and resources as well as the conditions under which actions are allowed or
│ │ │ │ +denied. Amazon ECR supports specific actions, resources, and condition keys.
│ │ │ │ +To learn about all of the elements that you use in a JSON policy, see IAM
│ │ │ │ +JSON Policy Elements Reference in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Actions
│ │ │ │ +
│ │ │ │ +The Action element of an IAM identity-based policy describes the specific
│ │ │ │ +action or actions that will be allowed or denied by the policy. Policy
│ │ │ │ +actions usually have the same name as the associated AWS API operation. The
│ │ │ │ +action is used in a policy to grant permissions to perform the associated
│ │ │ │ +operation.
│ │ │ │ +
│ │ │ │ +Policy actions in Amazon ECR use the following prefix before the action:
│ │ │ │ +ecr:. For example, to grant someone permission to create an Amazon ECR
│ │ │ │ +repository with the Amazon ECR CreateRepository API operation, you include
│ │ │ │ +the ecr:CreateRepository action in their policy. Policy statements must
│ │ │ │ +include either an Action or NotAction element. Amazon ECR defines its own set
│ │ │ │ +of actions that describe tasks that you can perform with this service. To
│ │ │ │ +specify multiple actions in a single statement, separate them with commas as
│ │ │ │ +follows: "Action": [ "ecr:action1", "ecr:action2" You can specify
│ │ │ │ +multiple actions using wildcards (*). For example, to specify all
│ │ │ │ +actions that begin with the word Describe, include the following action:
│ │ │ │ +"Action": "ecr:Describe*" To see a list of Amazon ECR actions, see
│ │ │ │ +Actions, Resources, and Condition Keys for Amazon Elastic Container
│ │ │ │ +Registry in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Resources
│ │ │ │ +
│ │ │ │ +The Resource element specifies the object or objects to which the action
│ │ │ │ +applies. Statements must include either a Resource or a NotResource element.
│ │ │ │ +You specify a resource using an ARN or using the wildcard (*) to
│ │ │ │ +indicate that the statement applies to all resources.
│ │ │ │ +
│ │ │ │ +An Amazon ECR repository resource has the following ARN:
│ │ │ │ +arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
│ │ │ │ +For more information about the format of ARNs, see Amazon Resource Names
│ │ │ │ +(ARNs) and AWS Service Namespaces.
│ │ │ │ +For example, to specify the my-repo repository in the us-east-1 Region in
│ │ │ │ +your statement, use the following ARN:
│ │ │ │ +"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
│ │ │ │ +To specify all repositories that belong to a specific account, use the
│ │ │ │ +wildcard (*): "Resource":
│ │ │ │ +"arn:aws:ecr:us-east-1:123456789012:repository/*"
│ │ │ │ +To specify multiple resources in a single statement, separate the ARNs with
│ │ │ │ +commas. "Resource": [ "resource1", "resource2"
│ │ │ │ +To see a list of Amazon ECR resource types and their ARNs, see Resources
│ │ │ │ +Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
│ │ │ │ +with which actions you can specify the ARN of each resource, see Actions
│ │ │ │ +Defined by Amazon Elastic Container Registry.
│ │ │ │ +
│ │ │ │ +Condition Keys
│ │ │ │ +
│ │ │ │ +The Condition element (or Condition block) lets you specify conditions in
│ │ │ │ +which a statement is in effect. The Condition element is optional. You can
│ │ │ │ +build conditional expressions that use condition operators, such as equals or
│ │ │ │ +less than, to match the condition in the policy with values in the request.
│ │ │ │ +If you specify multiple Condition elements in a statement, or multiple keys
│ │ │ │ +in a single Condition element, AWS evaluates them using a logical AND
│ │ │ │ +operation. If you specify multiple values for a single condition key, AWS
│ │ │ │ +evaluates the condition using a logical OR operation. All of the conditions
│ │ │ │ +must be met before the statement's permissions are granted.
│ │ │ │ +You can also use placeholder variables when you specify conditions. For
│ │ │ │ +example, you can grant an IAM user permission to access a resource only if it
│ │ │ │ +is tagged with their IAM user name. For more information, see IAM Policy
│ │ │ │ +Elements: Variables and Tags in the IAM User Guide.
│ │ │ │ +Amazon ECR defines its own set of condition keys and also supports using some global
│ │ │ │ +condition keys. To see all AWS global condition keys, see AWS Global Condition Context
│ │ │ │ +Keys in the IAM User Guide.
│ │ │ │ +Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
│ │ │ │ +condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ +see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ +Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ +and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ +Elastic Container Registry.
│ │ │ │ + Is it the case that access to the container image registry is restricted?
│ │ │ │
│ │ │ │
│ │ │ │ Ensure all containers and images are coming from approved registries.
│ │ │ │
│ │ │ │ References:
│ │ │ │
│ │ │ │ https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ Is it the case that container images come from approved registries?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ +and make sure it outputs 0.
│ │ │ │ + Is it the case that readOnlyPort is not secured?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │
│ │ │ │
│ │ │ │ Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ for enabling Image Scanning.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ @@ -3076,128 +3062,142 @@
│ │ │ │ 1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ 2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ 3. In the navigation pane, choose Repositories.
│ │ │ │ 4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ 5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ Is it the case that image vulnerability scanning is enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ -to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ -3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ -required to interact with the cluster - generally this should be read-only.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │
│ │ │ │ -You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ -the following prerequisites.
│ │ │ │ -The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ -worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ -ECR.
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │
│ │ │ │ -{
│ │ │ │ - "Version": "2012-10-17",
│ │ │ │ - "Statement": [
│ │ │ │ - {
│ │ │ │ - "Effect": "Allow",
│ │ │ │ - "Action": [
│ │ │ │ - "ecr:BatchCheckLayerAvailability",
│ │ │ │ - "ecr:BatchGetImage",
│ │ │ │ - "ecr:GetDownloadUrlForLayer",
│ │ │ │ - "ecr:GetAuthorizationToken"
│ │ │ │ - ],
│ │ │ │ - "Resource": "*"
│ │ │ │ - }
│ │ │ │ - ]
│ │ │ │ -}
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │
│ │ │ │ - Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ + Is it the case that Namespaced Network Policies needs review?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ + Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │
│ │ │ │
│ │ │ │ To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ run the command:
│ │ │ │ $ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ If properly configured, the output should indicate the following permissions:
│ │ │ │ -rw-r--r--
│ │ │ │ Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ + Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ +Endpoint Access for further information on this topic.
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ + Is it the case that private access is enabled and public access is disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ +
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ + Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + For more information about protecting your workloads using TLS please refer
│ │ │ │ +to the AWS User Guide:
│ │ │ │ +
│ │ │ │ +https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ + Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ -Input:
│ │ │ │
│ │ │ │ -aws eks describe-cluster \
│ │ │ │ ---region region \
│ │ │ │ ---name clustername
│ │ │ │ -Output:
│ │ │ │ -...
│ │ │ │ -"endpointPublicAccess": false,
│ │ │ │ -"endpointPrivateAccess": true,
│ │ │ │ -"publicAccessCidrs": [
│ │ │ │ -"203.0.113.5/32"
│ │ │ │ -]
│ │ │ │ -...
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ -Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ -can check your current version with aws --version. To install or
│ │ │ │ -upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ -command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ -you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ -single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ -publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ -specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ -requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ -that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ -you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ -recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ -and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ -the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ -include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ -node in a private subnet that communicates to the internet through a NAT
│ │ │ │ -Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ -part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ -CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ -(0.0.0.0/0) IP addresses.
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │
│ │ │ │ -Note
│ │ │ │ -The following command enables private access and public access from a single IP address
│ │ │ │ -for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ -separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │
│ │ │ │ -Example command:
│ │ │ │
│ │ │ │ -aws eks update-cluster-config \
│ │ │ │ ---region region-code \
│ │ │ │ ---name dev \
│ │ │ │ ---resources-vpc-config \
│ │ │ │ -endpointPublicAccess=true, \
│ │ │ │ -publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ -endpointPrivateAccess=true
│ │ │ │ - Is it the case that the control plane endpoint is secure?
│ │ │ │ + Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ + you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ + role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ + permissions to a service account, and only pods that use that service
│ │ │ │ + account have access to those permissions. This feature also eliminates the
│ │ │ │ + need for third-party solutions such as kiam or kube2iam.
│ │ │ │ + Credential isolation — A container can only retrieve credentials for
│ │ │ │ + the IAM role that is associated with the service account to which it
│ │ │ │ + belongs. A container never has access to credentials that are intended for
│ │ │ │ + another container that belongs to another pod.
│ │ │ │ + Auditability — Access and event logging is available through CloudTrail
│ │ │ │ + to help ensure retrospective auditing.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ + Is it the case that dedicated service accounts are used?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ + Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-eks-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,703 +3,572 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Minimize user access to Amazon ECR
│ │ │ │ -
│ │ │ │ - ocil:ssg-registry_access_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Use Dedicated Service Accounts
│ │ │ │ -
│ │ │ │ - ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + kubelet - Configure the Client CA Certificate
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on the Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Client Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Audit Logging is Enabled
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-audit_logging_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Ensure that the --read-only-port is secured
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Private Endpoint Access
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Kubernetes Secrets are Encrypted
│ │ │ │ +
│ │ │ │ + Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │ + ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Allow Automatic Firewall Configuration
│ │ │ │ +
│ │ │ │ + Verify Group Who Owns The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │ + ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + Verify Permissions on the Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Server Certificate Rotation
│ │ │ │ +
│ │ │ │ + Manage Users with AWS IAM
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-iam_integration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Consider Fargate for Untrusted Workloads
│ │ │ │
│ │ │ │ ocil:ssg-fargate_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure that application Namespaces have Network Policies defined.
│ │ │ │ +
│ │ │ │ + Ensure Kubernetes Secrets are Encrypted
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │ + ocil:ssg-secret_encryption_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Group Who Owns The Worker Kubeconfig File
│ │ │ │ +
│ │ │ │ + kubelet - Enable Server Certificate Rotation
│ │ │ │
│ │ │ │ - ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Anonymous Authentication to the Kubelet
│ │ │ │ +
│ │ │ │ + Restrict Access to the Control Plane Endpoint
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │ + ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Manage Users with AWS IAM
│ │ │ │ +
│ │ │ │ + Ensure Network Policy is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-iam_integration_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Ensure Cluster Private Nodes
│ │ │ │
│ │ │ │ ocil:ssg-private_nodes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Configure the Client CA Certificate
│ │ │ │ +
│ │ │ │ + kubelet - Do Not Disable Streaming Timeouts
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_configure_client_ca_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure authorization is set to Webhook
│ │ │ │ +
│ │ │ │ + Minimize user access to Amazon ECR
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │ + ocil:ssg-registry_access_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Encrypt Traffic to Load Balancers and Workloads
│ │ │ │ +
│ │ │ │ + Only use approved container registries
│ │ │ │
│ │ │ │ - ocil:ssg-configure_tls_action:testaction:1
│ │ │ │ + ocil:ssg-approved_registries_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Network Policy is Enabled
│ │ │ │ +
│ │ │ │ + kubelet - Ensure that the --read-only-port is secured
│ │ │ │
│ │ │ │ - ocil:ssg-configure_network_policy_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_read_only_port_secured_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify User Who Owns The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + Verify User Who Owns The Worker Kubeconfig File
│ │ │ │
│ │ │ │ - ocil:ssg-file_owner_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Only use approved container registries
│ │ │ │ +
│ │ │ │ + Ensure Image Vulnerability Scanning
│ │ │ │
│ │ │ │ - ocil:ssg-approved_registries_action:testaction:1
│ │ │ │ + ocil:ssg-image_scanning_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + kubelet - Allow Automatic Firewall Configuration
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Image Vulnerability Scanning
│ │ │ │ +
│ │ │ │ + Ensure that application Namespaces have Network Policies defined.
│ │ │ │
│ │ │ │ - ocil:ssg-image_scanning_action:testaction:1
│ │ │ │ + ocil:ssg-configure_network_policies_namespaces_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure Cluster Service Account with read-only access to Amazon ECR
│ │ │ │ +
│ │ │ │ + Disable Anonymous Authentication to the Kubelet
│ │ │ │
│ │ │ │ - ocil:ssg-read_only_registry_access_action:testaction:1
│ │ │ │ + ocil:ssg-kubelet_anonymous_auth_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Certificate Rotation
│ │ │ │ +
│ │ │ │ + Verify Permissions on The Kubelet Configuration File
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Do Not Disable Streaming Timeouts
│ │ │ │ +
│ │ │ │ + Ensure Private Endpoint Access
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1
│ │ │ │ + ocil:ssg-endpoint_configuration_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - kubelet - Enable Client Certificate Rotation
│ │ │ │ +
│ │ │ │ + Ensure Audit Logging is Enabled
│ │ │ │
│ │ │ │ - ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1
│ │ │ │ + ocil:ssg-audit_logging_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify Permissions on The Kubelet Configuration File
│ │ │ │ +
│ │ │ │ + Encrypt Traffic to Load Balancers and Workloads
│ │ │ │
│ │ │ │ - ocil:ssg-file_permissions_kubelet_conf_action:testaction:1
│ │ │ │ + ocil:ssg-configure_tls_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Restrict Access to the Control Plane Endpoint
│ │ │ │ +
│ │ │ │ + Use Dedicated Service Accounts
│ │ │ │
│ │ │ │ - ocil:ssg-control_plane_access_action:testaction:1
│ │ │ │ + ocil:ssg-dedicated_service_accounts_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + kubelet - Enable Protect Kernel Defaults
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Ensure authorization is set to Webhook
│ │ │ │ +
│ │ │ │ + ocil:ssg-kubelet_authorization_mode_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Remediation:
│ │ │ │ -
│ │ │ │ -Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ -IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ -of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ -Work with IAM in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Topics
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -Amazon ECR Identity-Based Policies
│ │ │ │ -Amazon ECR Resource-Based Policies
│ │ │ │ -Authorization Based on Amazon ECR Tags
│ │ │ │ -Amazon ECR IAM Roles
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -Amazon ECR Identity-Based Policies
│ │ │ │ -
│ │ │ │ -With IAM identity-based policies, you can specify allowed or denied actions
│ │ │ │ -and resources as well as the conditions under which actions are allowed or
│ │ │ │ -denied. Amazon ECR supports specific actions, resources, and condition keys.
│ │ │ │ -To learn about all of the elements that you use in a JSON policy, see IAM
│ │ │ │ -JSON Policy Elements Reference in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Actions
│ │ │ │ -
│ │ │ │ -The Action element of an IAM identity-based policy describes the specific
│ │ │ │ -action or actions that will be allowed or denied by the policy. Policy
│ │ │ │ -actions usually have the same name as the associated AWS API operation. The
│ │ │ │ -action is used in a policy to grant permissions to perform the associated
│ │ │ │ -operation.
│ │ │ │ -
│ │ │ │ -Policy actions in Amazon ECR use the following prefix before the action:
│ │ │ │ -ecr:. For example, to grant someone permission to create an Amazon ECR
│ │ │ │ -repository with the Amazon ECR CreateRepository API operation, you include
│ │ │ │ -the ecr:CreateRepository action in their policy. Policy statements must
│ │ │ │ -include either an Action or NotAction element. Amazon ECR defines its own set
│ │ │ │ -of actions that describe tasks that you can perform with this service. To
│ │ │ │ -specify multiple actions in a single statement, separate them with commas as
│ │ │ │ -follows: "Action": [ "ecr:action1", "ecr:action2" You can specify
│ │ │ │ -multiple actions using wildcards (*). For example, to specify all
│ │ │ │ -actions that begin with the word Describe, include the following action:
│ │ │ │ -"Action": "ecr:Describe*" To see a list of Amazon ECR actions, see
│ │ │ │ -Actions, Resources, and Condition Keys for Amazon Elastic Container
│ │ │ │ -Registry in the IAM User Guide.
│ │ │ │ -
│ │ │ │ -Resources
│ │ │ │ -
│ │ │ │ -The Resource element specifies the object or objects to which the action
│ │ │ │ -applies. Statements must include either a Resource or a NotResource element.
│ │ │ │ -You specify a resource using an ARN or using the wildcard (*) to
│ │ │ │ -indicate that the statement applies to all resources.
│ │ │ │ -
│ │ │ │ -An Amazon ECR repository resource has the following ARN:
│ │ │ │ -arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
│ │ │ │ -For more information about the format of ARNs, see Amazon Resource Names
│ │ │ │ -(ARNs) and AWS Service Namespaces.
│ │ │ │ -For example, to specify the my-repo repository in the us-east-1 Region in
│ │ │ │ -your statement, use the following ARN:
│ │ │ │ -"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
│ │ │ │ -To specify all repositories that belong to a specific account, use the
│ │ │ │ -wildcard (*): "Resource":
│ │ │ │ -"arn:aws:ecr:us-east-1:123456789012:repository/*"
│ │ │ │ -To specify multiple resources in a single statement, separate the ARNs with
│ │ │ │ -commas. "Resource": [ "resource1", "resource2"
│ │ │ │ -To see a list of Amazon ECR resource types and their ARNs, see Resources
│ │ │ │ -Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
│ │ │ │ -with which actions you can specify the ARN of each resource, see Actions
│ │ │ │ -Defined by Amazon Elastic Container Registry.
│ │ │ │ -
│ │ │ │ -Condition Keys
│ │ │ │ -
│ │ │ │ -The Condition element (or Condition block) lets you specify conditions in
│ │ │ │ -which a statement is in effect. The Condition element is optional. You can
│ │ │ │ -build conditional expressions that use condition operators, such as equals or
│ │ │ │ -less than, to match the condition in the policy with values in the request.
│ │ │ │ -If you specify multiple Condition elements in a statement, or multiple keys
│ │ │ │ -in a single Condition element, AWS evaluates them using a logical AND
│ │ │ │ -operation. If you specify multiple values for a single condition key, AWS
│ │ │ │ -evaluates the condition using a logical OR operation. All of the conditions
│ │ │ │ -must be met before the statement's permissions are granted.
│ │ │ │ -You can also use placeholder variables when you specify conditions. For
│ │ │ │ -example, you can grant an IAM user permission to access a resource only if it
│ │ │ │ -is tagged with their IAM user name. For more information, see IAM Policy
│ │ │ │ -Elements: Variables and Tags in the IAM User Guide.
│ │ │ │ -Amazon ECR defines its own set of condition keys and also supports using some global
│ │ │ │ -condition keys. To see all AWS global condition keys, see AWS Global Condition Context
│ │ │ │ -Keys in the IAM User Guide.
│ │ │ │ -Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
│ │ │ │ -condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ -see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ -Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ -and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ -Elastic Container Registry.
│ │ │ │ - Is it the case that access to the container image registry is restricted?
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ +The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ + Is it the case that no client CA certificate has been configured?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Audit:
│ │ │ │ -
│ │ │ │ -For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ -service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ -apart from the defaults. Additionally ensure that the
│ │ │ │ -automountServiceAccountToken: false setting is in place for each
│ │ │ │ -default service account.
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ +to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ +3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ +required to interact with the cluster - generally this should be read-only.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ -With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ -an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ -provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ -account. With this feature, you no longer need to provide extended
│ │ │ │ -permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ -AWS APIs.
│ │ │ │ -Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ -feature provides a strategy for managing credentials for your applications,
│ │ │ │ -similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ -Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ -credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ -can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ -in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ -requests to authorized AWS services.
│ │ │ │ -
│ │ │ │ -The IAM roles for service accounts feature provides the following benefits:
│ │ │ │ +You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ +the following prerequisites.
│ │ │ │ +The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ +worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ +ECR.
│ │ │ │
│ │ │ │
│ │ │ │ - Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ - you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ - role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ - permissions to a service account, and only pods that use that service
│ │ │ │ - account have access to those permissions. This feature also eliminates the
│ │ │ │ - need for third-party solutions such as kiam or kube2iam.
│ │ │ │ - Credential isolation — A container can only retrieve credentials for
│ │ │ │ - the IAM role that is associated with the service account to which it
│ │ │ │ - belongs. A container never has access to credentials that are intended for
│ │ │ │ - another container that belongs to another pod.
│ │ │ │ - Auditability — Access and event logging is available through CloudTrail
│ │ │ │ - to help ensure retrospective auditing.
│ │ │ │ -
│ │ │ │ +{
│ │ │ │ + "Version": "2012-10-17",
│ │ │ │ + "Statement": [
│ │ │ │ + {
│ │ │ │ + "Effect": "Allow",
│ │ │ │ + "Action": [
│ │ │ │ + "ecr:BatchCheckLayerAvailability",
│ │ │ │ + "ecr:BatchGetImage",
│ │ │ │ + "ecr:GetDownloadUrlForLayer",
│ │ │ │ + "ecr:GetAuthorizationToken"
│ │ │ │ + ],
│ │ │ │ + "Resource": "*"
│ │ │ │ + }
│ │ │ │ + ]
│ │ │ │ +}
│ │ │ │
│ │ │ │ -To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ -For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ -a DaemonSet to use IAM for service accounts.
│ │ │ │ - Is it the case that dedicated service accounts are used?
│ │ │ │ + Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ + To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +If properly configured, the output should indicate the following group-owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │
│ │ │ │
│ │ │ │ To check the permissions of /var/lib/kubelet/kubeconfig,
│ │ │ │ run the command:
│ │ │ │ $ ls -l /var/lib/kubelet/kubeconfig
│ │ │ │ If properly configured, the output should indicate the following permissions:
│ │ │ │ -rw-r--r--
│ │ │ │ Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via the Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Ensure all 5 choices are set to Enabled
│ │ │ │ -Via CLI
│ │ │ │ -aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ -
│ │ │ │ -Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ -Via The Management Console
│ │ │ │ -1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ -2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ -3. Click Logging
│ │ │ │ -4. Select Manage Logging from the button on the right hand side
│ │ │ │ -5. Toggle each selection to the Enabled position.
│ │ │ │ -6. Click Save Changes
│ │ │ │ - Is it the case that audit logging is enable?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ -and make sure it outputs 0.
│ │ │ │ - Is it the case that readOnlyPort is not secured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ -Endpoint Access for further information on this topic.
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ - Is it the case that private access is enabled and public access is disabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │
│ │ │ │ -For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ -'encryptionConfig' configuration when you run:
│ │ │ │ -aws eks describe-cluster --name="cluster-name"
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ +yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ +command:
│ │ │ │
│ │ │ │ -Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ -described in the links within the 'References' section.
│ │ │ │ +$ kubectl get role -n $NAMESPACE
│ │ │ │ +The response lists the RBAC role that has access to this Namespace.
│ │ │ │
│ │ │ │ -References:
│ │ │ │ +Remediation:
│ │ │ │
│ │ │ │ - https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ - https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ +documentation.
│ │ │ │
│ │ │ │ - Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ + Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ -The output should return true.
│ │ │ │ - Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ +The output should return nothing or true.
│ │ │ │ + Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │
│ │ │ │
│ │ │ │ Audit:
│ │ │ │ Check the existence of Fargate profiles in the Amazon EKS cluster by using:
│ │ │ │
│ │ │ │ aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
│ │ │ │ Alternatively, to audit for the presence of a Fargate profile node run the
│ │ │ │ @@ -761,89 +630,94 @@
│ │ │ │ the specified namespace that also have the infrastructure: fargate
│ │ │ │ Kubernetes label match the selector.
│ │ │ │ On the Review and create page, review the information for your Fargate
│ │ │ │ profile and choose Create.
│ │ │ │
│ │ │ │ Is it the case that untrusted workloads are isolated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Verify that the every non-control plane namespace has an appropriate
│ │ │ │ -NetworkPolicy.
│ │ │ │ +
│ │ │ │ + Audit:
│ │ │ │
│ │ │ │ -To get all the non-control plane namespaces, you can do the
│ │ │ │ -following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │ +For Amazon EKS clusters with Secrets Encryption enabled, look for
│ │ │ │ +'encryptionConfig' configuration when you run:
│ │ │ │ +aws eks describe-cluster --name="cluster-name"
│ │ │ │
│ │ │ │ -To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ -following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │ +Remediation:
│ │ │ │
│ │ │ │ -Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │ +Enable 'Secrets Encryption' during Amazon EKS cluster creation as
│ │ │ │ +described in the links within the 'References' section.
│ │ │ │
│ │ │ │ -Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ - Is it the case that Namespaced Network Policies needs review?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To check the group ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ -If properly configured, the output should indicate the following group-owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
│ │ │ │ +References:
│ │ │ │ +
│ │ │ │ + https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
│ │ │ │ + https://eksworkshop.com/beginner/191_secrets/
│ │ │ │ +
│ │ │ │ + Is it the case that kubernetes secrets are encrypted in etcd?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ -The output should return enabled: false.
│ │ │ │ - Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │ +$ for node in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$node/proxy/configz | jq '.kubeletconfig.serverTLSBootstrap'; done
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot rotate server certificate?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ +Input:
│ │ │ │
│ │ │ │ -To Audit access to the namespace $NAMESPACE, assume the IAM role
│ │ │ │ -yourIAMRoleName for a user that you created, and then run the following
│ │ │ │ -command:
│ │ │ │ -
│ │ │ │ -$ kubectl get role -n $NAMESPACE
│ │ │ │ -The response lists the RBAC role that has access to this Namespace.
│ │ │ │ +aws eks describe-cluster \
│ │ │ │ +--region region \
│ │ │ │ +--name clustername
│ │ │ │ +Output:
│ │ │ │ +...
│ │ │ │ +"endpointPublicAccess": false,
│ │ │ │ +"endpointPrivateAccess": true,
│ │ │ │ +"publicAccessCidrs": [
│ │ │ │ +"203.0.113.5/32"
│ │ │ │ +]
│ │ │ │ +...
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ +Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ +can check your current version with aws --version. To install or
│ │ │ │ +upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
│ │ │ │ -documentation.
│ │ │ │ +Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ +command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ +you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ +single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ +publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ +specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ +requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ +that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ +you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ +recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ +and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ +the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ +include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ +node in a private subnet that communicates to the internet through a NAT
│ │ │ │ +Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ +part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ +CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ +(0.0.0.0/0) IP addresses.
│ │ │ │
│ │ │ │ -https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
│ │ │ │ - Is it the case that authorization and authentication is managed using AWS IAM?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ -master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ -access to the public internet.
│ │ │ │ +Note
│ │ │ │ +The following command enables private access and public access from a single IP address
│ │ │ │ +for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ +separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │
│ │ │ │ -If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ -can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ - Is it the case that clusters are created with private nodes?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
│ │ │ │ -The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
│ │ │ │ - Is it the case that no client CA certificate has been configured?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ -Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ -(defaults to mode: Webhook).
│ │ │ │ - Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - For more information about protecting your workloads using TLS please refer
│ │ │ │ -to the AWS User Guide:
│ │ │ │ +Example command:
│ │ │ │
│ │ │ │ -https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ - Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │ +aws eks update-cluster-config \
│ │ │ │ +--region region-code \
│ │ │ │ +--name dev \
│ │ │ │ +--resources-vpc-config \
│ │ │ │ +endpointPublicAccess=true, \
│ │ │ │ +publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ +endpointPrivateAccess=true
│ │ │ │ + Is it the case that the control plane endpoint is secure?
│ │ │ │
│ │ │ │
│ │ │ │ Network Policy requires the Network Policy add-on. This add-on is included
│ │ │ │ automatically when a cluster with Network Policy is created, but for an
│ │ │ │ existing cluster, needs to be added prior to enabling Network Policy.
│ │ │ │
│ │ │ │ Enabling/Disabling Network Policy causes a rolling update of all cluster
│ │ │ │ @@ -857,35 +731,147 @@
│ │ │ │
│ │ │ │ Enabling Network Policy enforcement consumes additional resources in nodes.
│ │ │ │ Specifically, it increases the memory footprint of the kube-system
│ │ │ │ process by approximately 128MB, and requires approximately 300 millicores of
│ │ │ │ CPU.
│ │ │ │ Is it the case that network policy is enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ -run the command:
│ │ │ │ -$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -If properly configured, the output should indicate the following owner:
│ │ │ │ -root
│ │ │ │ - Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
│ │ │ │ +
│ │ │ │ + To enable Private Nodes, the cluster has to also be configured with a private
│ │ │ │ +master IP range and IP Aliasing enabled. Private Nodes do not have outbound
│ │ │ │ +access to the public internet.
│ │ │ │ +
│ │ │ │ +If you want to provide outbound Internet access for your private nodes, you
│ │ │ │ +can use Cloud NAT or you can manage your own NAT gateway.
│ │ │ │ + Is it the case that clusters are created with private nodes?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ +The output should not return 0.
│ │ │ │ + Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Remediation:
│ │ │ │ +
│ │ │ │ +Before you use IAM to manage access to Amazon ECR, you should understand what
│ │ │ │ +IAM features are available to use with Amazon ECR. To get a high-level view
│ │ │ │ +of how Amazon ECR and other AWS services work with IAM, see AWS Services That
│ │ │ │ +Work with IAM in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Topics
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +Amazon ECR Identity-Based Policies
│ │ │ │ +Amazon ECR Resource-Based Policies
│ │ │ │ +Authorization Based on Amazon ECR Tags
│ │ │ │ +Amazon ECR IAM Roles
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +Amazon ECR Identity-Based Policies
│ │ │ │ +
│ │ │ │ +With IAM identity-based policies, you can specify allowed or denied actions
│ │ │ │ +and resources as well as the conditions under which actions are allowed or
│ │ │ │ +denied. Amazon ECR supports specific actions, resources, and condition keys.
│ │ │ │ +To learn about all of the elements that you use in a JSON policy, see IAM
│ │ │ │ +JSON Policy Elements Reference in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Actions
│ │ │ │ +
│ │ │ │ +The Action element of an IAM identity-based policy describes the specific
│ │ │ │ +action or actions that will be allowed or denied by the policy. Policy
│ │ │ │ +actions usually have the same name as the associated AWS API operation. The
│ │ │ │ +action is used in a policy to grant permissions to perform the associated
│ │ │ │ +operation.
│ │ │ │ +
│ │ │ │ +Policy actions in Amazon ECR use the following prefix before the action:
│ │ │ │ +ecr:. For example, to grant someone permission to create an Amazon ECR
│ │ │ │ +repository with the Amazon ECR CreateRepository API operation, you include
│ │ │ │ +the ecr:CreateRepository action in their policy. Policy statements must
│ │ │ │ +include either an Action or NotAction element. Amazon ECR defines its own set
│ │ │ │ +of actions that describe tasks that you can perform with this service. To
│ │ │ │ +specify multiple actions in a single statement, separate them with commas as
│ │ │ │ +follows: "Action": [ "ecr:action1", "ecr:action2" You can specify
│ │ │ │ +multiple actions using wildcards (*). For example, to specify all
│ │ │ │ +actions that begin with the word Describe, include the following action:
│ │ │ │ +"Action": "ecr:Describe*" To see a list of Amazon ECR actions, see
│ │ │ │ +Actions, Resources, and Condition Keys for Amazon Elastic Container
│ │ │ │ +Registry in the IAM User Guide.
│ │ │ │ +
│ │ │ │ +Resources
│ │ │ │ +
│ │ │ │ +The Resource element specifies the object or objects to which the action
│ │ │ │ +applies. Statements must include either a Resource or a NotResource element.
│ │ │ │ +You specify a resource using an ARN or using the wildcard (*) to
│ │ │ │ +indicate that the statement applies to all resources.
│ │ │ │ +
│ │ │ │ +An Amazon ECR repository resource has the following ARN:
│ │ │ │ +arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
│ │ │ │ +For more information about the format of ARNs, see Amazon Resource Names
│ │ │ │ +(ARNs) and AWS Service Namespaces.
│ │ │ │ +For example, to specify the my-repo repository in the us-east-1 Region in
│ │ │ │ +your statement, use the following ARN:
│ │ │ │ +"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
│ │ │ │ +To specify all repositories that belong to a specific account, use the
│ │ │ │ +wildcard (*): "Resource":
│ │ │ │ +"arn:aws:ecr:us-east-1:123456789012:repository/*"
│ │ │ │ +To specify multiple resources in a single statement, separate the ARNs with
│ │ │ │ +commas. "Resource": [ "resource1", "resource2"
│ │ │ │ +To see a list of Amazon ECR resource types and their ARNs, see Resources
│ │ │ │ +Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
│ │ │ │ +with which actions you can specify the ARN of each resource, see Actions
│ │ │ │ +Defined by Amazon Elastic Container Registry.
│ │ │ │ +
│ │ │ │ +Condition Keys
│ │ │ │ +
│ │ │ │ +The Condition element (or Condition block) lets you specify conditions in
│ │ │ │ +which a statement is in effect. The Condition element is optional. You can
│ │ │ │ +build conditional expressions that use condition operators, such as equals or
│ │ │ │ +less than, to match the condition in the policy with values in the request.
│ │ │ │ +If you specify multiple Condition elements in a statement, or multiple keys
│ │ │ │ +in a single Condition element, AWS evaluates them using a logical AND
│ │ │ │ +operation. If you specify multiple values for a single condition key, AWS
│ │ │ │ +evaluates the condition using a logical OR operation. All of the conditions
│ │ │ │ +must be met before the statement's permissions are granted.
│ │ │ │ +You can also use placeholder variables when you specify conditions. For
│ │ │ │ +example, you can grant an IAM user permission to access a resource only if it
│ │ │ │ +is tagged with their IAM user name. For more information, see IAM Policy
│ │ │ │ +Elements: Variables and Tags in the IAM User Guide.
│ │ │ │ +Amazon ECR defines its own set of condition keys and also supports using some global
│ │ │ │ +condition keys. To see all AWS global condition keys, see AWS Global Condition Context
│ │ │ │ +Keys in the IAM User Guide.
│ │ │ │ +Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
│ │ │ │ +condition keys. For more information, see Using Tag-Based Access Control. To
│ │ │ │ +see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
│ │ │ │ +Elastic Container Registry in the IAM User Guide. To learn with which actions
│ │ │ │ +and resources you can use a condition key, see Actions Defined by Amazon
│ │ │ │ +Elastic Container Registry.
│ │ │ │ + Is it the case that access to the container image registry is restricted?
│ │ │ │
│ │ │ │
│ │ │ │ Ensure all containers and images are coming from approved registries.
│ │ │ │
│ │ │ │ References:
│ │ │ │
│ │ │ │ https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
│ │ │ │ Is it the case that container images come from approved registries?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
│ │ │ │ -The output should not return 0.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
│ │ │ │ +and make sure it outputs 0.
│ │ │ │ + Is it the case that readOnlyPort is not secured?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To check the ownership of /var/lib/kubelet/kubeconfig,
│ │ │ │ +run the command:
│ │ │ │ +$ ls -lL /var/lib/kubelet/kubeconfig
│ │ │ │ +If properly configured, the output should indicate the following owner:
│ │ │ │ +root
│ │ │ │ + Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
│ │ │ │
│ │ │ │
│ │ │ │ Please follow AWS ECS or your 3rd party image scanning provider's guidelines
│ │ │ │ for enabling Image Scanning.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │
│ │ │ │ @@ -904,124 +890,138 @@
│ │ │ │ 1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
│ │ │ │ 2. From the navigation bar, choose the Region to create your repository in.
│ │ │ │ 3. In the navigation pane, choose Repositories.
│ │ │ │ 4. On the Repositories page, choose the repository that contains the image to scan.
│ │ │ │ 5. On the Images page, select the image to scan and then choose Scan.
│ │ │ │ Is it the case that image vulnerability scanning is enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
│ │ │ │ -to verify that they are set and the minimum required level. If utilizing a
│ │ │ │ -3rd party tool to scan images utilize the minimum required permission level
│ │ │ │ -required to interact with the cluster - generally this should be read-only.
│ │ │ │ -
│ │ │ │ -Remediation:
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet cannot modify the firewall settings?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Verify that the every non-control plane namespace has an appropriate
│ │ │ │ +NetworkPolicy.
│ │ │ │
│ │ │ │ -You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
│ │ │ │ -the following prerequisites.
│ │ │ │ -The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
│ │ │ │ -worker nodes must possess the following IAM policy permissions for Amazon
│ │ │ │ -ECR.
│ │ │ │ +To get all the non-control plane namespaces, you can do the
│ │ │ │ +following command $ oc get namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.name ]'
│ │ │ │
│ │ │ │ +To get all the non-control plane namespaces with a NetworkPolicy, you can do the
│ │ │ │ +following command $ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | unique'
│ │ │ │
│ │ │ │ -{
│ │ │ │ - "Version": "2012-10-17",
│ │ │ │ - "Statement": [
│ │ │ │ - {
│ │ │ │ - "Effect": "Allow",
│ │ │ │ - "Action": [
│ │ │ │ - "ecr:BatchCheckLayerAvailability",
│ │ │ │ - "ecr:BatchGetImage",
│ │ │ │ - "ecr:GetDownloadUrlForLayer",
│ │ │ │ - "ecr:GetAuthorizationToken"
│ │ │ │ - ],
│ │ │ │ - "Resource": "*"
│ │ │ │ - }
│ │ │ │ - ]
│ │ │ │ -}
│ │ │ │ +Namespaces matching the variable ocp4-var-network-policies-namespaces-exempt-regex regex are excluded from this check.
│ │ │ │
│ │ │ │ - Is it the case that Cluster Service Account has read-only access to Amazon ECR?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Run the following command on the kubelet node(s):
│ │ │ │ -$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ -The output should return {{ .var_streaming_connection_timeouts }}.
│ │ │ │ - Is it the case that the streaming connection timeouts are not disabled?
│ │ │ │ +Make sure that the namespaces displayed in the commands of the commands match.
│ │ │ │ + Is it the case that Namespaced Network Policies needs review?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ Run the following command on the kubelet node(s):
│ │ │ │ -$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
│ │ │ │ -The output should return nothing or true.
│ │ │ │ - Is it the case that the kubelet cannot rotate client certificate?
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
│ │ │ │ +The output should return enabled: false.
│ │ │ │ + Is it the case that <tt>anonymous</tt> authentication is not set to <tt>false</tt>?
│ │ │ │
│ │ │ │
│ │ │ │ To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
│ │ │ │ run the command:
│ │ │ │ $ ls -l /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ If properly configured, the output should indicate the following permissions:
│ │ │ │ -rw-r--r--
│ │ │ │ Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │ + Configure the EKS cluster endpoint to be private. See Modifying Cluster
│ │ │ │ +Endpoint Access for further information on this topic.
│ │ │ │ +https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
│ │ │ │ + Is it the case that private access is enabled and public access is disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via the Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Ensure all 5 choices are set to Enabled
│ │ │ │ +Via CLI
│ │ │ │ +aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}" --query 'cluster.logging.clusterLogging[?enabled==true].types'
│ │ │ │ +
│ │ │ │ +Perform the following to determine if CloudTrail is enabled for all regions:
│ │ │ │ +Via The Management Console
│ │ │ │ +1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
│ │ │ │ +2. Click on Cluster Name of the cluster you are auditing
│ │ │ │ +3. Click Logging
│ │ │ │ +4. Select Manage Logging from the button on the right hand side
│ │ │ │ +5. Toggle each selection to the Enabled position.
│ │ │ │ +6. Click Save Changes
│ │ │ │ + Is it the case that audit logging is enable?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + For more information about protecting your workloads using TLS please refer
│ │ │ │ +to the AWS User Guide:
│ │ │ │ +
│ │ │ │ +https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
│ │ │ │ + Is it the case that connections to load balancers and workloads are encrypted with TLS?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ Audit:
│ │ │ │ -Input:
│ │ │ │
│ │ │ │ -aws eks describe-cluster \
│ │ │ │ ---region region \
│ │ │ │ ---name clustername
│ │ │ │ -Output:
│ │ │ │ -...
│ │ │ │ -"endpointPublicAccess": false,
│ │ │ │ -"endpointPrivateAccess": true,
│ │ │ │ -"publicAccessCidrs": [
│ │ │ │ -"203.0.113.5/32"
│ │ │ │ -]
│ │ │ │ -...
│ │ │ │ +For each namespace in the cluster, review the rights assigned to the default
│ │ │ │ +service account and ensure that it has no roles or cluster roles bound to it
│ │ │ │ +apart from the defaults. Additionally ensure that the
│ │ │ │ +automountServiceAccountToken: false setting is in place for each
│ │ │ │ +default service account.
│ │ │ │
│ │ │ │ Remediation:
│ │ │ │ -Complete the following steps using the AWS CLI version 1.18.10 or later. You
│ │ │ │ -can check your current version with aws --version. To install or
│ │ │ │ -upgrade the AWS CLI, see Installing the AWS CLI.
│ │ │ │
│ │ │ │ -Update your cluster API server endpoint access with the following AWS CLI
│ │ │ │ -command. Substitute your cluster name and desired endpoint access values. If
│ │ │ │ -you set endpointPublicAccess=true, then you can (optionally) enter
│ │ │ │ -single CIDR block, or a comma- separated list of CIDR blocks for
│ │ │ │ -publicAccessCidrs. The blocks cannot include reserved addresses. If you
│ │ │ │ -specify CIDR blocks, then the public API server endpoint will only receive
│ │ │ │ -requests from the listed blocks. There is a maximum number of CIDR blocks
│ │ │ │ -that you can specify. For more information, see Amazon EKS Service Quotas. If
│ │ │ │ -you restrict access to your public endpoint using CIDR blocks, it is
│ │ │ │ -recommended that you also enable private endpoint access so that worker nodes
│ │ │ │ -and Fargate pods (if you use them) can communicate with the cluster. Without
│ │ │ │ -the private endpoint enabled, your public access endpoint CIDR sources must
│ │ │ │ -include the egress sources from your VPC. For example, if you have a worker
│ │ │ │ -node in a private subnet that communicates to the internet through a NAT
│ │ │ │ -Gateway, you will need to add the outbound IP address of the NAT gateway as
│ │ │ │ -part of a whitelisted CIDR block on your public endpoint. If you specify no
│ │ │ │ -CIDR blocks, then the public API server endpoint receives requests from all
│ │ │ │ -(0.0.0.0/0) IP addresses.
│ │ │ │ +With IAM roles for service accounts on Amazon EKS clusters, you can associate
│ │ │ │ +an IAM role with a Kubernetes service account. This service account can then
│ │ │ │ +provide AWS permissions to the containers in any pod that uses that service
│ │ │ │ +account. With this feature, you no longer need to provide extended
│ │ │ │ +permissions to the worker node IAM role so that pods on that node can call
│ │ │ │ +AWS APIs.
│ │ │ │ +Applications must sign their AWS API requests with AWS credentials. This
│ │ │ │ +feature provides a strategy for managing credentials for your applications,
│ │ │ │ +similar to the way that Amazon EC2 instance profiles provide credentials to
│ │ │ │ +Amazon EC2 instances. Instead of creating and distributing your AWS
│ │ │ │ +credentials to the containers or using the Amazon EC2 instance’s role, you
│ │ │ │ +can associate an IAM role with a Kubernetes service account. The applications
│ │ │ │ +in the pod’s containers can then use an AWS SDK or the AWS CLI to make API
│ │ │ │ +requests to authorized AWS services.
│ │ │ │
│ │ │ │ -Note
│ │ │ │ -The following command enables private access and public access from a single IP address
│ │ │ │ -for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
│ │ │ │ -separated list of CIDR blocks that you want to restrict network access to.
│ │ │ │ +The IAM roles for service accounts feature provides the following benefits:
│ │ │ │
│ │ │ │ -Example command:
│ │ │ │
│ │ │ │ -aws eks update-cluster-config \
│ │ │ │ ---region region-code \
│ │ │ │ ---name dev \
│ │ │ │ ---resources-vpc-config \
│ │ │ │ -endpointPublicAccess=true, \
│ │ │ │ -publicAccessCidrs="203.0.113.5/32",\
│ │ │ │ -endpointPrivateAccess=true
│ │ │ │ - Is it the case that the control plane endpoint is secure?
│ │ │ │ + Least privilege — By using the IAM roles for service accounts feature,
│ │ │ │ + you no longer need to provide extended permissions to the worker node IAM
│ │ │ │ + role so that pods on that node can call AWS APIs. You can scope IAM
│ │ │ │ + permissions to a service account, and only pods that use that service
│ │ │ │ + account have access to those permissions. This feature also eliminates the
│ │ │ │ + need for third-party solutions such as kiam or kube2iam.
│ │ │ │ + Credential isolation — A container can only retrieve credentials for
│ │ │ │ + the IAM role that is associated with the service account to which it
│ │ │ │ + belongs. A container never has access to credentials that are intended for
│ │ │ │ + another container that belongs to another pod.
│ │ │ │ + Auditability — Access and event logging is available through CloudTrail
│ │ │ │ + to help ensure retrospective auditing.
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +To get started, see Enabling IAM roles for service accounts on your cluster.
│ │ │ │ +For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
│ │ │ │ +a DaemonSet to use IAM for service accounts.
│ │ │ │ + Is it the case that dedicated service accounts are used?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
│ │ │ │ +The output should return true.
│ │ │ │ + Is it the case that the kubelet can modify kernel parameters?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Run the following command on the kubelet node(s):
│ │ │ │ +$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
│ │ │ │ +Verify that the output is not set to mode: AlwaysAllow, or missing
│ │ │ │ +(defaults to mode: Webhook).
│ │ │ │ + Is it the case that <tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>?
│ │ │ │
│ │ │ │
│ │ │ │
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -5207,311 +5207,311 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │
│ │ │ │ Supported Version of Firefox Installed
│ │ │ │
│ │ │ │ ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Studies
│ │ │ │ +
│ │ │ │ + Disable Firefox network prediction
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │ +
│ │ │ │ + Disabled Firefox Extension Recommendations
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Shared System Certificates
│ │ │ │ +
│ │ │ │ + Disable Firefox Pocket
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox autoplay must be disabled.
│ │ │ │ +
│ │ │ │ + Disable Firefox Development Tools
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Certificate Verification
│ │ │ │ +
│ │ │ │ + Enabled Firefox Fingerprinting Protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + Enable Firefox Pop-up Blocker
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + Firefox must prevent the user from quickly deleting data.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + Disable Installed Search Plugins Update Checking
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disabled Firefox Extension Recommendations
│ │ │ │ +
│ │ │ │ + Firefox search suggestions must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Pocket
│ │ │ │ +
│ │ │ │ + Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │ +
│ │ │ │ + Disable auto-download for proscribed MIME types.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must prevent the user from quickly deleting data.
│ │ │ │ +
│ │ │ │ + Enable Shared System Certificates
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Firefox Pop-up Blocker
│ │ │ │ +
│ │ │ │ + Disable Firefox Studies
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enable Certificate Verification
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Disable Firefox deprecated ciphers
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Firefox private browsing must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-private_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Development Tools
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Firefox network prediction
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ The DoD Root Certificate Exists
│ │ │ │
│ │ │ │ ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Telemetry
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox search suggestions must be disabled.
│ │ │ │ +
│ │ │ │ + Firefox autoplay must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Cryptomining protection
│ │ │ │ +
│ │ │ │ + Disable Firefox Telemetry
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable auto-download for proscribed MIME types.
│ │ │ │ +
│ │ │ │ + Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Installed Search Plugins Update Checking
│ │ │ │ +
│ │ │ │ + Enabled Firefox Cryptomining protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -5519,148 +5519,78 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │ If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ a yum server which provides updates, invoking the following command will
│ │ │ │ indicate if updates are available:
│ │ │ │ $ sudo yum check-update
│ │ │ │ If the system is not configured to update from one of these sources,
│ │ │ │ run the following command to list when each package was last updated:
│ │ │ │ $ rpm -qa -last
│ │ │ │ Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │
│ │ │ │ https://access.redhat.com/security/updates/active/
│ │ │ │ to determine if the system is missing applicable updates.
│ │ │ │ Is it the case that it is not updated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Studies is disabled,
│ │ │ │ +
│ │ │ │ + To verify that network prediction is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisableFirefoxStudies": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the central system cerificate authority store is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ -The output should return something similar to:
│ │ │ │ -lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Permissions -> Autoplay:
│ │ │ │ -"Default": "block-audio-video"
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ - about:policies
│ │ │ │ -The output should have the following under security.default_personal_cert:
│ │ │ │ -Value: "Ask Every Time"
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -" "installation_mode":"normal_installed",
│ │ │ │ -" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -" "updates_disabled":false}
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that fingerprinting protection is enabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that enhanced tracking protection is enabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ "Value": false
│ │ │ │ "Status": "locked"
│ │ │ │ @@ -5670,102 +5600,73 @@
│ │ │ │ To verify that Pocket is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisablePocket": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that certificate verification is enabled,
│ │ │ │ +
│ │ │ │ + To verify that Firefox Development Tools are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"ExtensionUpdate": false
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ +"DisableDeveloperTools": true,
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that users cannot access the forget button,
│ │ │ │ +
│ │ │ │ + To verify that fingerprinting protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableForgetButon": true
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that pop-up blocker is enabled,
│ │ │ │ run the following command:
│ │ │ │ $ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ The output should include:
│ │ │ │ "Default": true
│ │ │ │ "Locked": true
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that deprecated ciphers are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that private browsing is disabled
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"DisablePrivateBrowsing": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Firefox Development Tools are disabled,
│ │ │ │ +
│ │ │ │ + To verify that users cannot access the forget button,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisableDeveloperTools": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DisableForgetButon": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that network prediction is disabled,
│ │ │ │ +
│ │ │ │ + To verify that checks for installed search plugin updates are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the DoD root certificate is installed,
│ │ │ │ -list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ -and compare them to the DoD root certificate. If there is a match
│ │ │ │ -to the DoD root certificate, then the DoD root certificate is
│ │ │ │ -installed.
│ │ │ │ - Is it the case that it is not installed?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Firefox telemetry is disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableTelemetry": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "SearchSuggestEnabled": false
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that cryptomining protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +" "installation_mode":"normal_installed",
│ │ │ │ +" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +" "updates_disabled":false}
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that any proscribed file types are configured for automatic download,
│ │ │ │ type "about:preferences" into the search bar, then
│ │ │ │ type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ @@ -5798,23 +5699,122 @@
│ │ │ │ WB3
│ │ │ │ WCH
│ │ │ │ WCM
│ │ │ │ AD
│ │ │ │
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that checks for installed search plugin updates are disabled,
│ │ │ │ +
│ │ │ │ + To verify that the central system cerificate authority store is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ +The output should return something similar to:
│ │ │ │ +lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that Studies is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableFirefoxStudies": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that enhanced tracking protection is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ +"Status": "locked"
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ + about:policies
│ │ │ │ +The output should have the following under security.default_personal_cert:
│ │ │ │ +Value: "Ask Every Time"
│ │ │ │ Status: "locked"
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that deprecated ciphers are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that private browsing is disabled
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"DisablePrivateBrowsing": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that the DoD root certificate is installed,
│ │ │ │ +list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ +and compare them to the DoD root certificate. If there is a match
│ │ │ │ +to the DoD root certificate, then the DoD root certificate is
│ │ │ │ +installed.
│ │ │ │ + Is it the case that it is not installed?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Permissions -> Autoplay:
│ │ │ │ +"Default": "block-audio-video"
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that Firefox telemetry is disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableTelemetry": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that certificate verification is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"ExtensionUpdate": false
│ │ │ │ +Status: "locked"
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that cryptomining protection is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ build_cpe.py from SCAP Security Guide
│ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ ├── ./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
│ │ │ │┄ Ordering differences only
│ │ │ │ @@ -3,311 +3,311 @@
│ │ │ │
│ │ │ │ build_shorthand.py from SCAP Security Guide
│ │ │ │ ssg: 0.1.76
│ │ │ │ 2.0
│ │ │ │ 2025-03-01T08:08:00
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │
│ │ │ │ Supported Version of Firefox Installed
│ │ │ │
│ │ │ │ ocil:ssg-installed_firefox_version_supported_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Studies
│ │ │ │ +
│ │ │ │ + Disable Firefox network prediction
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │ +
│ │ │ │ + Disabled Firefox Extension Recommendations
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Shared System Certificates
│ │ │ │ +
│ │ │ │ + Disable Firefox Pocket
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox autoplay must be disabled.
│ │ │ │ +
│ │ │ │ + Disable Firefox Development Tools
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Certificate Verification
│ │ │ │ +
│ │ │ │ + Enabled Firefox Fingerprinting Protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │ +
│ │ │ │ + Enable Firefox Pop-up Blocker
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Fingerprinting Protection
│ │ │ │ +
│ │ │ │ + Firefox must prevent the user from quickly deleting data.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-fingerprinting_protection_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + Disable Installed Search Plugins Update Checking
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disabled Firefox Extension Recommendations
│ │ │ │ +
│ │ │ │ + Firefox search suggestions must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_recommendation_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Pocket
│ │ │ │ +
│ │ │ │ + Ensure the Content Blocker uBlock Origin is Installed
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-disable_pocket_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-content_blocker_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │ +
│ │ │ │ + Disable auto-download for proscribed MIME types.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox must prevent the user from quickly deleting data.
│ │ │ │ +
│ │ │ │ + Enable Shared System Certificates
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-forget_button_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enable Firefox Pop-up Blocker
│ │ │ │ +
│ │ │ │ + Disable Firefox Studies
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-pop-up_windows_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-disable_studies_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enabled Firefox Enhanced Tracking Protection
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-enhanced_tracking_action:testaction:1
│ │ │ │ +
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + Enable Certificate Verification
│ │ │ │ +
│ │ │ │ + ocil:ssg-firefox_policy-verification_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Disable Firefox deprecated ciphers
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-disable_deprecated_ciphers_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ Firefox private browsing must be disabled.
│ │ │ │
│ │ │ │ ocil:ssg-firefox_policy-private_browsing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Development Tools
│ │ │ │ -
│ │ │ │ - ocil:ssg-firefox_policy-development_tools_action:testaction:1
│ │ │ │ -
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - Disable Firefox network prediction
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Moving Or Resizing Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-network_prediction_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_resizing_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ The DoD Root Certificate Exists
│ │ │ │
│ │ │ │ ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Firefox Telemetry
│ │ │ │ +
│ │ │ │ + Disable JavaScript's Raise Or Lower Windows Capability
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-javascript_window_changes_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Firefox search suggestions must be disabled.
│ │ │ │ +
│ │ │ │ + Firefox autoplay must be disabled.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_suggestion_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-autoplay_video_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Enabled Firefox Cryptomining protection
│ │ │ │ +
│ │ │ │ + Disable Firefox Telemetry
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-telemetry_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable auto-download for proscribed MIME types.
│ │ │ │ +
│ │ │ │ + Firefox must be configured to not automatically update installed add-ons and plugins.
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-extension_update_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - Disable Installed Search Plugins Update Checking
│ │ │ │ +
│ │ │ │ + Enabled Firefox Cryptomining protection
│ │ │ │
│ │ │ │ - ocil:ssg-firefox_policy-search_update_action:testaction:1
│ │ │ │ + ocil:ssg-firefox_policy-cryptomining_action:testaction:1
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ @@ -315,148 +315,78 @@
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ +
│ │ │ │
│ │ │ │ PASS
│ │ │ │
│ │ │ │
│ │ │ │ FAIL
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ -
│ │ │ │
│ │ │ │ If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or
│ │ │ │ a yum server which provides updates, invoking the following command will
│ │ │ │ indicate if updates are available:
│ │ │ │ $ sudo yum check-update
│ │ │ │ If the system is not configured to update from one of these sources,
│ │ │ │ run the following command to list when each package was last updated:
│ │ │ │ $ rpm -qa -last
│ │ │ │ Compare this to Red Hat Security Advisories (RHSA) listed at
│ │ │ │
│ │ │ │ https://access.redhat.com/security/updates/active/
│ │ │ │ to determine if the system is missing applicable updates.
│ │ │ │ Is it the case that it is not updated?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that Studies is disabled,
│ │ │ │ +
│ │ │ │ + To verify that network prediction is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisableFirefoxStudies": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that JavaScript cannot change windows sizing,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_flip:
│ │ │ │ -"Value": true,
│ │ │ │ -"Status": "locked",
│ │ │ │ +"NetworkPrediction": false
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the central system cerificate authority store is enabled,
│ │ │ │ -run the following command:
│ │ │ │ -$ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ -The output should return something similar to:
│ │ │ │ -lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that search suggestions are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Permissions -> Autoplay:
│ │ │ │ -"Default": "block-audio-video"
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ - about:policies
│ │ │ │ -The output should have the following under security.default_personal_cert:
│ │ │ │ -Value: "Ask Every Time"
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under ExtensionSettings:
│ │ │ │ -"uBlock0@raymondhill.net": {
│ │ │ │ -" "installation_mode":"normal_installed",
│ │ │ │ -" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ -" "updates_disabled":false}
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that fingerprinting protection is enabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Fingerprinting": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that enhanced tracking protection is enabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ -"Value": "strict"
│ │ │ │ -"Status": "locked"
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that enhanced tracking protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following under Preferences -> extensions.htmlaboutaddons.recommendations.enabled:
│ │ │ │ "Value": false
│ │ │ │ "Status": "locked"
│ │ │ │ @@ -466,102 +396,73 @@
│ │ │ │ To verify that Pocket is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "DisablePocket": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that certificate verification is enabled,
│ │ │ │ +
│ │ │ │ + To verify that Firefox Development Tools are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"ExtensionUpdate": false
│ │ │ │ -Status: "locked"
│ │ │ │ - Is it the case that it is not enabled?
│ │ │ │ +"DisableDeveloperTools": true,
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that users cannot access the forget button,
│ │ │ │ +
│ │ │ │ + To verify that fingerprinting protection is enabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableForgetButon": true
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Fingerprinting": true
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that pop-up blocker is enabled,
│ │ │ │ run the following command:
│ │ │ │ $ grep -B10 'PopupBlocking' FIREFOX_INSTALL_DIR/*.cfg
│ │ │ │ The output should include:
│ │ │ │ "Default": true
│ │ │ │ "Locked": true
│ │ │ │ Is it the case that it is not enabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that deprecated ciphers are disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following under DisabledCiphers:
│ │ │ │ -"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that private browsing is disabled
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ -"DisablePrivateBrowsing": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Firefox Development Tools are disabled,
│ │ │ │ +
│ │ │ │ + To verify that users cannot access the forget button,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ -"DisableDeveloperTools": true,
│ │ │ │ - Is it the case that it is not disabled?
│ │ │ │ +"DisableForgetButon": true
│ │ │ │ + Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that network prediction is disabled,
│ │ │ │ +
│ │ │ │ + To verify that checks for installed search plugin updates are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"NetworkPrediction": false
│ │ │ │ +The output should have the following under browser.search.update:
│ │ │ │ +Value: false
│ │ │ │ +Status: "locked"
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that the DoD root certificate is installed,
│ │ │ │ -list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ -and compare them to the DoD root certificate. If there is a match
│ │ │ │ -to the DoD root certificate, then the DoD root certificate is
│ │ │ │ -installed.
│ │ │ │ - Is it the case that it is not installed?
│ │ │ │ -
│ │ │ │ -
│ │ │ │ - To verify that Firefox telemetry is disabled,
│ │ │ │ -type the following into the browser address bar:
│ │ │ │ -about:policies
│ │ │ │ -The output should have the following:
│ │ │ │ -"DisableTelemetry": true
│ │ │ │ - Is it the case that ?
│ │ │ │ -
│ │ │ │
│ │ │ │ To verify that search suggestions are disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ The output should have the following:
│ │ │ │ "SearchSuggestEnabled": false
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that cryptomining protection is enabled,
│ │ │ │ +
│ │ │ │ + To verify that the policy is modified to automatically install the content blocker and that it's updates are not disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under EnableTrackingProtection:
│ │ │ │ -"Cryptomining": true
│ │ │ │ +The output should have the following under ExtensionSettings:
│ │ │ │ +"uBlock0@raymondhill.net": {
│ │ │ │ +" "installation_mode":"normal_installed",
│ │ │ │ +" "install_url":"https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
│ │ │ │ +" "updates_disabled":false}
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │
│ │ │ │ To verify that any proscribed file types are configured for automatic download,
│ │ │ │ type "about:preferences" into the search bar, then
│ │ │ │ type "Applications" in the Find bar in the upper-right corner.
│ │ │ │ If any of the following file extensions are listed and the Action item associated with it
│ │ │ │ @@ -594,18 +495,117 @@
│ │ │ │ WB3
│ │ │ │ WCH
│ │ │ │ WCM
│ │ │ │ AD
│ │ │ │
│ │ │ │ Is it the case that ?
│ │ │ │
│ │ │ │ -
│ │ │ │ - To verify that checks for installed search plugin updates are disabled,
│ │ │ │ +
│ │ │ │ + To verify that the central system cerificate authority store is enabled,
│ │ │ │ +run the following command:
│ │ │ │ +$ ls -l /etc/alternatives/libnssckbi.so.x86_64
│ │ │ │ +The output should return something similar to:
│ │ │ │ +lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that Studies is disabled,
│ │ │ │ type the following into the browser address bar:
│ │ │ │ about:policies
│ │ │ │ -The output should have the following under browser.search.update:
│ │ │ │ -Value: false
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableFirefoxStudies": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that enhanced tracking protection is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Preferences -> browser.contentblocking.category:
│ │ │ │ +"Value": "strict"
│ │ │ │ +"Status": "locked"
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that certificate verification is enabled, type the following into the browser address bar:
│ │ │ │ + about:policies
│ │ │ │ +The output should have the following under security.default_personal_cert:
│ │ │ │ +Value: "Ask Every Time"
│ │ │ │ Status: "locked"
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that deprecated ciphers are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under DisabledCiphers:
│ │ │ │ +"TLS_RSA_WITH_3DES_EDE_CBC_SHA": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that private browsing is disabled
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"DisablePrivateBrowsing": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_move_resize:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ + Is it the case that it is not disabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that the DoD root certificate is installed,
│ │ │ │ +list all certificates in /etc/pki/ca-trust/source/anchors
│ │ │ │ +and compare them to the DoD root certificate. If there is a match
│ │ │ │ +to the DoD root certificate, then the DoD root certificate is
│ │ │ │ +installed.
│ │ │ │ + Is it the case that it is not installed?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that JavaScript cannot change windows sizing,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following uder dom.disable_window_flip:
│ │ │ │ +"Value": true,
│ │ │ │ +"Status": "locked",
│ │ │ │ Is it the case that it is not disabled?
│ │ │ │
│ │ │ │ +
│ │ │ │ + To verify that search suggestions are disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under Permissions -> Autoplay:
│ │ │ │ +"Default": "block-audio-video"
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that Firefox telemetry is disabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"DisableTelemetry": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that certificate verification is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following:
│ │ │ │ +"ExtensionUpdate": false
│ │ │ │ +Status: "locked"
│ │ │ │ + Is it the case that it is not enabled?
│ │ │ │ +
│ │ │ │ +
│ │ │ │ + To verify that cryptomining protection is enabled,
│ │ │ │ +type the following into the browser address bar:
│ │ │ │ +about:policies
│ │ │ │ +The output should have the following under EnableTrackingProtection:
│ │ │ │ +"Cryptomining": true
│ │ │ │ + Is it the case that ?
│ │ │ │ +
│ │ │ │
│ │ │ │