Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe #10434

Merged
merged 2 commits into from
May 4, 2023
Merged

OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe #10434

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
475c6ee
OCP4: Use the sysctl probe when checking kubelet sysctls
jhrozek Apr 5, 2023
82a04d8
OCPBUGS-11334: OCP4: Fix instructions for rules that set the kubelet …
jhrozek Apr 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 0 additions & 1 deletion applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl/oval/shared.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
{{{ oval_metadata("The sysctl parameter needs to be set before enabling kernel protection") }}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition comment="sysctl file exist" definition_ref="kubelet_enable_protect_kernel_sysctl_file_exist" />
<extend_definition comment="sysctl kernel_panic" definition_ref="kubelet_enable_protect_kernel_sysctl_kernel_panic" />
<extend_definition comment="sysctl kernel_panic_on_oops" definition_ref="kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops" />
<extend_definition comment="sysctl kernel_keys_root_maxbytes" definition_ref="kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes" />
Expand Down
64 changes: 34 additions & 30 deletions applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,35 @@ platform: ocp4-node

title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults'

{{% set kernel_root_maxbytes_val = 25000000 %}}
{{% set kernel_root_maxkeys_val = 1000000 %}}
{{% set kernel_panic_val = 10 %}}
{{% set kernel_panic_on_oops_val = 1 %}}
{{% set vm_overcommit_memory_val = 1 %}}
{{% set vm_panic_on_oom_val = 0 %}}

description: |-
<p>
Setup required tuned kernel parameters before enabling overwritten protection.
Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
</p>

<p>
Before enabling kernel parameter overwritten protection default,
it's important and necessary to first create a <tt>MachineConfig</tt>
it's important to check if these values are already set to the required values.
If not, it is neccessary to first create a <tt>MachineConfig</tt>
object that persist the required sysctl's. The required sysctl's are the following:
</p>

<pre>
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
kernel.panic={{{ kernel_panic_val }}}
kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
</pre>

<p>
Expand Down Expand Up @@ -60,7 +71,7 @@ description: |-

<p>
To configure, follow the directions in
{{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
text="the documentation") }}}
</p>

Expand All @@ -78,39 +89,32 @@ severity: medium
ocil_clause: 'the kubelet can modify kernel parameters'

ocil: |-
Run the following command on the kubelet node to check if sysctl configuration file exist(s):
<pre>$ sudo [ -f /etc/sysctl.d/90-kubelet.conf ] || echo Not Exists </pre>
The output should not return <tt>Not Exists</tt>.

Run the following command on the kubelet node(s) to check parameter vm.panic_on_oom:
<pre>$ sudo grep vm.panic_on_oom /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl vm.panic_on_oom</pre>
The output should return {{{ vm_panic_on_oom_val }}}

Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
<pre>$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl kernel.keys.root_maxbytes </pre>
The output should return {{{ kernel_root_maxbytes_val }}}

Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
<pre>$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl kernel.keys.root_maxkeys</pre>
The output should return {{{ kernel_root_maxkeys_val }}}

Run the following command on the kubelet node(s) to check parameter kernel.panic:
<pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl kernel.panic</pre>
The output should return {{{ kernel_panic_val }}}

Run the following command on the kubelet node(s) to check parameter kernel.panic_on_oops:
<pre>$ sudo grep kernel.panic_on_oops /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl kernel.panic_on_oops</pre>
The output should return {{{ kernel_panic_on_oops_val }}}

Run the following command on the kubelet node(s) to check parameter vm.overcommit_memory:
<pre>$ sudo grep vm.overcommit_memory /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
<pre>$ sysctl vm.overcommit_memory</pre>
The output should return {{{ vm_overcommit_memory_val }}}

Run the following command on the kubelet node(s) to check parameter kernel.panic:
<pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
#identifiers:
# cce@ocp4:
identifiers:
cce@ocp4: CCE-86688-9

references:
cis@ocp4: 4.2.6
Expand Down
48 changes: 30 additions & 18 deletions ...openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,35 @@ platform: ocp4-node

title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes'

{{% set kernel_root_maxbytes_val = 25000000 %}}
{{% set kernel_root_maxkeys_val = 1000000 %}}
{{% set kernel_panic_val = 10 %}}
{{% set kernel_panic_on_oops_val = 1 %}}
{{% set vm_overcommit_memory_val = 1 %}}
{{% set vm_panic_on_oom_val = 0 %}}

description: |-
<p>
Setup required tuned kernel parameters before enabling overwritten protection.
Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
</p>

<p>
Before enabling kernel parameter overwritten protection default,
it's important and necessary to first create a <tt>MachineConfig</tt>
it's important to check if these values are already set to the required values.
If not, it is neccessary to first create a <tt>MachineConfig</tt>
object that persist the required sysctl's. The required sysctl's are the following:
</p>

<pre>
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
kernel.panic={{{ kernel_panic_val }}}
kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
</pre>

<p>
Expand Down Expand Up @@ -60,7 +71,7 @@ description: |-

<p>
To configure, follow the directions in
{{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
text="the documentation") }}}
</p>

Expand All @@ -78,12 +89,12 @@ severity: medium
ocil_clause: 'the kubelet can modify kernel parameters'

ocil: |-
Run the following command on the kubelet node(s):
<pre>$ sudo grep kernel.keys.root_maxbytes /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxbytes:
<pre>$ sysctl kernel.keys.root_maxbytes </pre>
The output should return {{{ kernel_root_maxbytes_val }}}

#identifiers:
# cce@ocp4:
identifiers:
cce@ocp4: CCE-86066-8

references:
cis@ocp4: 4.2.6
Expand All @@ -92,7 +103,8 @@ references:
srg: SRG-APP-000516-CTR-001325

template:
name: lineinfile
vars:
path: /etc/sysctl.d/90-kubelet.conf
text: "kernel.keys.root_maxbytes=25000000"
name: sysctl
vars:
sysctlvar: kernel.keys.root_maxbytes
sysctlval: '25000000'
datatype: int
47 changes: 30 additions & 17 deletions .../openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,35 @@ platform: ocp4-node

title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys'

{{% set kernel_root_maxbytes_val = 25000000 %}}
{{% set kernel_root_maxkeys_val = 1000000 %}}
{{% set kernel_panic_val = 10 %}}
{{% set kernel_panic_on_oops_val = 1 %}}
{{% set vm_overcommit_memory_val = 1 %}}
{{% set vm_panic_on_oom_val = 0 %}}

description: |-
<p>
Setup required tuned kernel parameters before enabling overwritten protection.
Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
</p>

<p>
Before enabling kernel parameter overwritten protection default,
it's important and necessary to first create a <tt>MachineConfig</tt>
it's important to check if these values are already set to the required values.
If not, it is neccessary to first create a <tt>MachineConfig</tt>
object that persist the required sysctl's. The required sysctl's are the following:
</p>

<pre>
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
kernel.panic={{{ kernel_panic_val }}}
kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
</pre>

<p>
Expand Down Expand Up @@ -60,7 +71,7 @@ description: |-

<p>
To configure, follow the directions in
{{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
text="the documentation") }}}
</p>

Expand All @@ -78,12 +89,13 @@ severity: medium
ocil_clause: 'the kubelet can modify kernel parameters'

ocil: |-
Run the following command on the kubelet node(s):
<pre>$ sudo grep kernel.keys.root_maxkeys /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
Run the following command on the kubelet node(s) to check parameter kernel.keys.root_maxkeys:
<pre>$ sysctl kernel.keys.root_maxkeys</pre>
The output should return {{{ kernel_root_maxkeys_val }}}


#identifiers:
# cce@ocp4:
identifiers:
cce@ocp4: CCE-86139-3

references:
cis@ocp4: 4.2.6
Expand All @@ -92,7 +104,8 @@ references:
srg: SRG-APP-000516-CTR-001325

template:
name: lineinfile
name: sysctl
vars:
path: /etc/sysctl.d/90-kubelet.conf
text: "kernel.keys.root_maxkeys=1000000"
sysctlvar: kernel.keys.root_maxkeys
sysctlval: '1000000'
datatype: int
49 changes: 31 additions & 18 deletions applications/openshift/kubelet/kubelet_enable_protect_kernel_sysctl_kernel_panic/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,35 @@ platform: ocp4-node

title: 'kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic'

{{% set kernel_root_maxbytes_val = 25000000 %}}
{{% set kernel_root_maxkeys_val = 1000000 %}}
{{% set kernel_panic_val = 10 %}}
{{% set kernel_panic_on_oops_val = 1 %}}
{{% set vm_overcommit_memory_val = 1 %}}
{{% set vm_panic_on_oom_val = 0 %}}

description: |-
<p>
Setup required tuned kernel parameters before enabling overwritten protection.
Setup required tuned kernel parameters before enabling overwritten protection. Note
that depending on the Linux distribution and its version that your cluster nodes are
running, these parameters might be already set up for you. Please refer to the rule
instructions for a check.
</p>

<p>
Before enabling kernel parameter overwritten protection default,
it's important and necessary to first create a <tt>MachineConfig</tt>
it's important to check if these values are already set to the required values.
If not, it is neccessary to first create a <tt>MachineConfig</tt>
object that persist the required sysctl's. The required sysctl's are the following:
</p>

<pre>
kernel.keys.root_maxbytes=25000000
kernel.keys.root_maxkeys=1000000
kernel.panic=10
kernel.panic_on_oops=1
vm.overcommit_memory=1
vm.panic_on_oom=0
kernel.keys.root_maxbytes={{{ kernel_root_maxbytes_val }}}
kernel.keys.root_maxkeys={{{ kernel_root_maxkeys_val }}}
kernel.panic={{{ kernel_panic_val }}}
kernel.panic_on_oops={{{ kernel_panic_on_oops_val }}}
vm.overcommit_memory={{{ vm_overcommit_memory_val }}}
vm.panic_on_oom={{{ vm_panic_on_oom_val }}}
</pre>

<p>
Expand Down Expand Up @@ -60,10 +71,11 @@ description: |-

<p>
To configure, follow the directions in
{{{ weblink(link="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-managing.html",
{{{ weblink(link="https://docs.openshift.com/container-platform/latest/nodes/nodes/nodes-nodes-managing.html",
text="the documentation") }}}
</p>


rationale: |-
Kernel parameters are usually tuned and hardened by the system administrators
before putting the systems into production. These parameters protect the
Expand All @@ -78,12 +90,12 @@ severity: medium
ocil_clause: 'the kubelet can modify kernel parameters'

ocil: |-
Run the following command on the kubelet node(s):
<pre>$ sudo grep kernel.panic /etc/sysctl.d/90-kubelet.conf</pre>
The output should return <tt>a value</tt>.
Run the following command on the kubelet node(s) to check parameter kernel.panic:
<pre>$ sysctl kernel.panic</pre>
The output should return {{{ kernel_panic_val }}}

#identifiers:
# cce@ocp4:
identifiers:
cce@ocp4: CCE-86124-5

references:
cis@ocp4: 4.2.6
Expand All @@ -92,7 +104,8 @@ references:
srg: SRG-APP-000516-CTR-001325

template:
name: lineinfile
vars:
path: /etc/sysctl.d/90-kubelet.conf
text: "kernel.panic=10"
name: sysctl
vars:
sysctlvar: kernel.panic
sysctlval: '10'
datatype: int