Add rh 1.4 (#1922)

* add CIS Benchmark for eks-v1.7

* fix failed test cases

* added eks 1.7 for supported kubernetes version

* added eks 1.7 for supported kubernetes version

* fix failed test cases

* add test cases for it

* fix

* add test case for eks 1.5

* change methodoloy

* fix the issue mentioned in pr

* fix linter error

* Update cmd/util.go

Co-authored-by: afdesk <[email protected]>

* fix the failed test

* add cis benchmark for red hat openshift containre v1.4

* fix failed test cases

* fix checks for rh-1.4

* mark scored true to manual test if they have test cases

* fix check 1.2.4

* rebase the changes in go.sum

---------

Co-authored-by: afdesk <[email protected]>

Author: LaibaBareera

cfg/config.yaml

@@ -297,6 +297,7 @@ version_mapping:
   "ocp-3.10": "rh-0.7"
   "ocp-3.11": "rh-0.7"
   "ocp-4.0": "rh-1.0"
+  "ocp-4.17": "rh-1.4"
   "aks-1.0": "aks-1.0"
   "aks-1.7": "aks-1.7"
   "ack-1.0": "ack-1.0"
@@ -457,6 +458,12 @@ target_mapping:
     - "controlplane"
     - "policies"
     - "etcd"
+  "rh-1.4":
+    - "master"
+    - "node"
+    - "controlplane"
+    - "policies"
+    - "etcd"
   "eks-stig-kubernetes-v1r6":
     - "node"
     - "controlplane"

cfg/rh-1.4/config.yaml

@@ -0,0 +1,2 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml

cfg/rh-1.4/controlplane.yaml

@@ -0,0 +1,62 @@
+---
+controls:
+version: rh-1.4
+id: 3
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+  - id: 3.1
+    text: "Authentication and Authorization"
+    checks:
+      - id: 3.1.1
+        text: "Client certificate authentication should not be used for users (Manual)"
+        audit: |
+          # To verify user authentication is enabled
+          oc describe authentication
+          # To verify that an identity provider is configured
+          oc get identity
+          # To verify that a custom cluster-admin user exists
+          oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User
+          # To verity that kbueadmin is removed, no results should be returned
+          oc get secrets kubeadmin -n kube-system
+        type: manual
+        remediation: |
+          Configure an identity provider for the OpenShift cluster.
+          Understanding identity provider configuration | Authentication | OpenShift
+          Container Platform 4.5. Once an identity provider has been defined,
+          you can use RBAC to define and apply permissions.
+          After you define an identity provider and create a new cluster-admin user,
+          remove the kubeadmin user to improve cluster security.
+        scored: false
+
+  - id: 3.2
+    text: "Logging"
+    checks:
+      - id: 3.2.1
+        text: "Ensure that a minimal audit policy is created (Manual)"
+        audit: |
+          #To view kube apiserver log files
+          oc adm node-logs --role=master --path=kube-apiserver/
+          #To view openshift apiserver log files
+          oc adm node-logs --role=master --path=openshift-apiserver/
+          #To verify kube apiserver audit config
+          oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
+          #To verify openshift apiserver audit config
+          oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]?'
+        type: manual
+        remediation: |
+          No remediation required.
+        scored: false
+
+      - id: 3.2.2
+        text: "Ensure that the audit policy covers key security concerns (Manual)"
+        audit: |
+          #To verify openshift apiserver audit config
+          oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
+          #To verify kube apiserver audit config
+          oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]?'
+        type: manual
+        remediation: |
+          In OpenShift 4.6 and higher, if appropriate for your needs,
+          modify the audit policy.
+        scored: false

cfg/rh-1.4/etcd.yaml

@@ -0,0 +1,183 @@
+---
+controls:
+version: rh-1.4
+id: 2
+text: "Etcd"
+type: "etcd"
+groups:
+  - id: 2
+    text: "Etcd"
+    checks:
+      - id: 2.1
+        text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)"
+        audit: |
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/'
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/'
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "file"
+              compare:
+                op: regex
+                value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(serving|certs)\/etcd-serving-.*\.(?:crt|key)'
+        remediation: |
+          OpenShift does not use the etcd-certfile or etcd-keyfile flags.
+          Certificates for etcd are managed by the etcd cluster operator.
+        scored: true
+
+      - id: 2.2
+        text: "Ensure that the --client-cert-auth argument is set to true (Manual)"
+        audit: |
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/'
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "--client-cert-auth"
+              compare:
+                op: eq
+                value: true
+        remediation: |
+          This setting is managed by the cluster etcd operator. No remediation required."
+        scored: true
+
+      - id: 2.3
+        text: "Ensure that the --auto-tls argument is not set to true (Manual)"
+        audit: |
+          # Returns 0 if found, 1 if not found
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --auto-tls=true 2>/dev/null ; echo exit_code=$?
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "exit_code"
+              compare:
+                op: eq
+                value: "1"
+        remediation: |
+          This setting is managed by the cluster etcd operator. No remediation required.
+        scored: true
+
+      - id: 2.4
+        text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)"
+        audit: |
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/'
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/'
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "file"
+              compare:
+                op: regex
+                value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-(peer|certs)\/etcd-peer-.*\.(?:crt|key)'
+        remediation: |
+          None. This configuration is managed by the etcd operator.
+        scored: true
+
+      - id: 2.5
+        text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)"
+        audit: |
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/'
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "--peer-client-cert-auth"
+              compare:
+                op: eq
+                value: true
+        remediation: |
+          This setting is managed by the cluster etcd operator. No remediation required.
+        scored: true
+
+      - id: 2.6
+        text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)"
+        audit: |
+          # Returns 0 if found, 1 if not found
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>/dev/null ; echo exit_code=$?
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "exit_code"
+              compare:
+                op: eq
+                value: "1"
+        remediation: |
+          This setting is managed by the cluster etcd operator. No remediation required.
+        scored: true
+
+      - id: 2.7
+        text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
+        audit: |
+          # Get the node name where the pod is running
+          NODE_NAME=$(oc get pod "$HOSTNAME" -o=jsonpath='{.spec.nodeName}')
+          # Get the pod name in the openshift-etcd namespace
+          POD_NAME=$(oc get pods -n openshift-etcd -l app=etcd --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}' 2>/dev/null)
+          if [ -z "$POD_NAME" ]; then
+          echo "No matching file found on the current node."
+          else
+          # Execute the stat command
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/'
+          oc exec -n openshift-etcd -c etcd "$POD_NAME" -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/'
+          fi
+        use_multiple_values: true
+        tests:
+          test_items:
+            - flag: "file"
+              compare:
+                op: regex
+                value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/(?:etcd-(?:serving|peer-client)-ca\/ca-bundle\.crt|etcd-all-bundles\/server-ca-bundle\.crt)'
+        remediation: |
+          None required. Certificates for etcd are managed by the OpenShift cluster etcd operator.
+        scored: true