fix: Correct test cases and audit commands for rh-1.8, cis-1.11, gke-1.8.0, and eks-1.7.0 benchmarks

cfg/cis-1.11/controlplane.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.11"
+version: "cis-1.11.1"
 id: 3
 text: "Control Plane Configuration"
 type: "controlplane"

cfg/cis-1.11/etcd.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.11"
+version: "cis-1.11.1"
 id: 2
 text: "Etcd Node Configuration"
 type: "etcd"
@@ -27,6 +27,24 @@ groups:
         scored: true
 
       - id: 2.2
+        text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
+        audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
+        tests:
+          bin_op: and
+          test_items:
+            - flag: "--cert-file"
+              env: "ETCD_CERT_FILE"
+            - flag: "--key-file"
+              env: "ETCD_KEY_FILE"
+        remediation: |
+          Follow the etcd service documentation and configure TLS encryption.
+          Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
+          on the master node and set the below parameters.
+          --cert-file=</path/to/ca-file>
+          --key-file=</path/to/key-file>
+        scored: true
+
+      - id: 2.3
         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
         tests:
@@ -42,7 +60,7 @@ groups:
           --client-cert-auth="true"
         scored: true
 
-      - id: 2.3
+      - id: 2.4
         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
         tests:
@@ -62,7 +80,7 @@ groups:
             --auto-tls=false
         scored: true
 
-      - id: 2.4
+      - id: 2.5
         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
         set as appropriate (Automated)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
@@ -82,7 +100,7 @@ groups:
           --peer-key-file=</path/to/peer-key-file>
         scored: true
 
-      - id: 2.5
+      - id: 2.6
         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
         tests:
@@ -98,7 +116,7 @@ groups:
           --peer-client-cert-auth=true
         scored: true
 
-      - id: 2.6
+      - id: 2.7
         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
         tests:
@@ -118,7 +136,7 @@ groups:
           --peer-auto-tls=false
         scored: true
 
-      - id: 2.7
+      - id: 2.8
         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
         tests:

cfg/cis-1.11/master.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.11"
+version: "cis-1.11.1"
 id: 1
 text: "Control Plane Security Configuration"
 type: "master"
@@ -752,7 +752,7 @@ groups:
                 value: "aescbc,kms,secretbox"
         remediation: |
           Follow the Kubernetes documentation and configure a EncryptionConfig file.
-          In this file, choose aescbc, kms or secretbox as the encryption provider.
+          In this file, choose aescbc, kms, or secretbox as the encryption provider.
         scored: false
 
       - id: 1.2.29
@@ -785,10 +785,11 @@ groups:
                 op: eq
                 value: false
         remediation: |
-          Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --service-account-extend-token-expiration parameter to false.
-          `--service-account-extend-token-expiration=false`
-          By default, this parameter is set to true.
-        scored: true
+          Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
+          on the Control Plane node and set the --service-account-extend-token-expiration
+          parameter to false.
+          --service-account-extend-token-expiration=false
+        scored: false
 
   - id: 1.3
     text: "Controller Manager"

cfg/cis-1.11/node.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.11"
+version: "cis-1.11.1"
 id: 4
 text: "Worker Node Security Configuration"
 type: "node"
@@ -463,9 +463,10 @@ groups:
             - flag: --seccomp-default
               path: '{.seccompDefault}'
         remediation: |
-          Set the parameter, either via the --seccomp-default command line parameter or the
+          Set the parameter, either via the --seccomp-default command line parameter or the 
           seccompDefault configuration file setting.
           By default the seccomp profile is not enabled.
+          https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
         scored: false
 
       - id: 4.2.15
@@ -476,13 +477,14 @@ groups:
           test_items:
             - flag: --IPAddressDeny
               path: '{.IPAddressDeny}'
+              op: eq
+              value: "any"
+            - path: '{.IPAddressAllow}'
         remediation: |
-         Configuring the setting IPAddressDeny=any will deny service to any IP address not specified in the complimentary setting IPAddressAllow configuration parameter (
-         IPAddressDeny=any
-         IPAddressAllow={{ kubelet_secure_addresses }}
-         *Note
-           kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnets |regex_replace(',', ' ') }} {{ kube_node_addresses }} {{ loadbalancer_apiserver.address | default('')"
-         By default IPAddressDeny is not enabled.
+          IPAddressDeny=any
+          IPAddressAllow={{ kubelet_secure_addresses }}
+          *Note kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnets | regex_replace(',', ' ') }} {{ kube_node_addresses }} {{ loadbalancer_apiserver.address | default('')"
+          By default IPAddressDeny is not enabled.
         scored: false
 
   - id: 4.3

cfg/cis-1.11/policies.yaml

@@ -1,6 +1,6 @@
 ---
 controls:
-version: "cis-1.11"
+version: "cis-1.11.1"
 id: 5
 text: "Kubernetes Policies"
 type: "policies"
@@ -108,7 +108,7 @@ groups:
         remediation: |
           Where possible, remove create access to pod objects in the cluster.
         scored: false
-
+        
       - id: 5.1.5
         text: "Ensure that default service accounts are not actively used (Manual)"
         audit: |

cfg/eks-1.7.0/controlplane.yaml

@@ -9,8 +9,7 @@ groups:
     text: "Logging"
     checks:
       - id: 2.1.1
-        text: "Enable audit Logs (Manual)"
-        type: manual
+        text: "Enable audit Logs (Automated)"
         remediation: |
           From Console:
           1.  For each EKS Cluster in each region;
@@ -34,36 +33,37 @@ groups:
 
       - id: 2.1.2
         text: "Ensure audit logs are collected and managed (Manual)"
-        type: manual
+        type: "manual"
         remediation: |
-          Create or update the audit-policy.yaml to specify the audit logging configuration:
-          apiVersion: audit.k8s.io/v1
-          kind: Policy
-          rules:
-            - level: Metadata
+          1. Create or update the audit-policy.yaml to specify the audit logging configuration:
+              apiVersion: audit.k8s.io/v1
+              kind: Policy
+              rules:
+              - level: Metadata
               resources:
-                - group: ""
-                  resources: ["pods"]
-          Apply the audit policy configuration to the cluster:
-            kubectl apply -f <path-to-audit-policy>.yaml
-          Ensure audit logs are forwarded to a centralized logging system like CloudWatch, Elasticsearch, or another log management solution:
-            kubectl create configmap cluster-audit-policy --from-file=audit-policy.yaml -n kube-system
-            kubectl apply -f - <<EOF
-          apiVersion: v1
-          kind: Pod
-          metadata:
-            name: audit-logging
-            namespace: kube-system
-          spec:
-            containers:
+              - group: ""
+              resources: ["pods"]
+          2.  Apply the audit policy configuration to the cluster:
+              kubectl apply -f <path-to-audit-policy>.yaml
+          3.  Ensure audit logs are forwarded to a centralized logging system like CloudWatch,
+              Elasticsearch, or another log management solution:
+              kubectl create configmap cluster-audit-policy --from-file=audit-policy.yaml -n kube-system
+              kubectl apply -f - <<EOF
+              apiVersion: v1
+              kind: Pod
+              metadata:
+              name: audit-logging
+              namespace: kube-system
+              spec:
+              containers:
               - name: audit-log-forwarder
-                image: my-log-forwarder-image
-                volumeMounts:
-                  - mountPath: /etc/kubernetes/audit
-                    name: audit-config
-            volumes:
+              image: my-log-forwarder-image
+              volumeMounts:
+              - mountPath: /etc/kubernetes/audit
+              name: audit-config
+              volumes:
               - name: audit-config
-                configMap:
-                  name: cluster-audit-policy
-            EOF
+              configMap:
+              name: cluster-audit-policy
+              EOF
         scored: false

cfg/eks-1.7.0/managedservices.yaml

@@ -9,7 +9,7 @@ groups:
     text: "Image Registry and Image Scanning"
     checks:
       - id: 5.1.1
-        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Manual)"
+        text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third party provider (Automated)"
         type: "manual"
         remediation: |
           To utilize AWS ECR for Image scanning please follow the steps below:
@@ -95,7 +95,7 @@ groups:
     text: "Identity and Access Management (IAM)"
     checks:
       - id: 5.2.1
-        text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)"
+        text: "Prefer using dedicated Amazon EKS Service Accounts (Automated)"
         type: "manual"
         remediation: |
           With IAM roles for service accounts on Amazon EKS clusters, you can associate an
@@ -144,7 +144,7 @@ groups:
     text: "Cluster Networking"
     checks:
       - id: 5.4.1
-        text: "Restrict Access to the Control Plane Endpoint (Manual)"
+        text: "Restrict Access to the Control Plane Endpoint (Automated)"
         type: "manual"
         remediation: |
           By enabling private endpoint access to the Kubernetes API server, all communication
@@ -170,7 +170,7 @@ groups:
         scored: false
 
       - id: 5.4.2
-        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
+        text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
         type: "manual"
         remediation: |
           By enabling private endpoint access to the Kubernetes API server, all communication
@@ -182,11 +182,11 @@ groups:
           aws eks update-cluster-config --region $AWS_REGION --name $CLUSTER_NAME --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=false
 
           Note: For more detailed information, see the EKS Cluster Endpoint documentation link
-          in the references section.
+          https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
         scored: false
 
       - id: 5.4.3
-        text: "Ensure clusters are created with Private Nodes (Manual)"
+        text: "Ensure clusters are created with Private Nodes (Automated)"
         type: "manual"
         remediation: |
           aws eks update-cluster-config \
@@ -196,7 +196,7 @@ groups:
         scored: false
 
       - id: 5.4.4
-        text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
+        text: "Ensure Network Policy is Enabled and set as appropriate (Automated)"
         type: "manual"
         remediation: |
           Utilize Calico or other network policy engine to segment and isolate your traffic.

cfg/eks-1.7.0/node.yaml

@@ -89,7 +89,7 @@ groups:
           Disable Anonymous Authentication by setting the following parameter:
           "authentication": { "anonymous": { "enabled": false } }
 
-          Remediation Method 2.
+          Remediation Method 2:
           If using executable arguments, edit the kubelet service file on each worker node and
           ensure the below parameters are part of the KUBELET_ARGS variable string.
           For systems using systemd, such as the Amazon EKS Optimised Amazon Linux or
@@ -352,10 +352,6 @@ groups:
               compare:
                 op: gte
                 value: 0
-            - flag: --event-qps
-              path: '{.eventRecordQPS}'
-              set: false
-          bin_op: or
         remediation: |
           If using a Kubelet config file, edit the file to set eventRecordQPS: to an appropriate
           level.
@@ -375,6 +371,7 @@ groups:
           test_items:
             - flag: --rotate-certificates
               path: '{.rotateCertificates}'
+              set: true
               compare:
                 op: eq
                 value: true