GCP Security Command Center Publisher Add-On

.gitignore

@@ -5,6 +5,7 @@ dist
 .vscode/
 hack/kind.test.yaml
 coverage.txt
+venv/
 
 .idea/
 
@@ -13,4 +14,4 @@ coverage.txt
 thumbs.db
 /kubeconfig.kube-bench
 /test.data
-*.iml
+*.iml

cfg/config.yaml

@@ -447,6 +447,11 @@ target_mapping:
     - "controlplane"
     - "policies"
     - "managedservices"
+  "gke-stig-kubernetes-v2r2":
+    - "node"
+    - "controlplane"
+    - "policies"
+    - "managedservices"
   "tkgi-1.2.53":
     - "master"
     - "etcd"

cfg/gke-stig-kubernetes-v2r2/config.yaml

@@ -0,0 +1,18 @@
+---
+## Version-specific settings that override the values in cfg/config.yaml
+## These settings are required if you are using the --gscc option to report findings to GCP Security Command Center
+## GCP Organization ID is required.
+GCP_SCC_SOURCE_ID: "<GCP_SCC_SOURCE_ID>"
+## GCP project ID is required.
+GCP_PROJECT_ID: "<GCP_PROJECT_ID>"
+## GCP region is required.
+GCP_REGION: "<GCP_REGION>"
+## GKE Cluster Name is required.
+CLUSTER_NAME: "<CLUSTER_NAME>"
+
+
+node:
+  kubelet:
+    confs:
+      - "/home/kubernetes/kubelet-config.yaml"
+      - "/etc/kubernetes/kubelet-config.yaml"

cfg/gke-stig-kubernetes-v2r2/controlplane.yaml

@@ -0,0 +1,51 @@
+---
+controls:
+version: "gke-stig-kubernetes-v1r6"
+id: 2
+text: "Control Plane Configuration"
+type: "controlplane"
+groups:
+  - id: 2.1
+    text: "DISA Category Code I - API Server Security"
+    checks:
+
+      - id: V-242400
+        text: "The Kubernetes API server must have Alpha APIs disabled"
+        type: "manual"
+        remediation: |
+          Check the release channel using the GCP gcloud CLI.
+          gcloud container clusters describe <ClusterName> --region <RegionName> --format json | jq -r '.releaseChannel.channel'
+          This should be set to "STABLE". Any "Alpha" clusters will need to be rebuilt on the STABLE release channel.
+
+  - id: 2.2
+    text: "DISA Category Code II - Controller Manager Security"
+    checks:       
+      - id: V-242443
+        text: " Kubernetes must contain the latest updates as authorized by IAVMs, CTOs, DTMs, and STIGs. (Manual)"
+        type: "manual"
+        remediation: |
+         Upgrade Kubernetes to a supported version.
+
+      - id: V-242461
+        text: "Kubernetes API Server audit logs must be enabled. (Manual)"
+        type: "manual"
+        remediation: |
+            Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler.
+            Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/view-logs#control-plane-access-logs
+
+      - id: V-242462
+        text: "The Kubernetes API Server must be set to audit log max size | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242463
+        text: "The Kubernetes API Server must be set to audit log maximum backup | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242464
+        text: "The Kubernetes API Server audit log retention must be set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242394
+        text: "The Kubernetes API Server audit log path must be set | Component of GKE Control Plane"
+        type: "skip"
+

cfg/gke-stig-kubernetes-v2r2/managedservices.yaml

@@ -0,0 +1,245 @@
+---
+controls:
+version: "gke-stig-kubernetes-v2r2"
+id: 5
+text: "Managed Services"
+type: "managedservices"
+groups:
+  - id: 5.1
+    text: "DISA Category Code I"
+    checks:
+      - id: V-242386
+        text: "The Kubernetes API server must have the insecure port flag disabled | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242388
+        text: "The Kubernetes API server must have the insecure bind address not set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242436
+        text: "The Kubernetes API server must have the ValidatingAdmissionWebhook enabled | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242437
+        text: "[Deprecated] Kubernetes must have a pod security policy set. policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+"
+        type: "skip"
+
+      - id: V-245542
+        text: "Kubernetes API Server must disable basic authentication to protect information in transit | Component of GKE Control Plane"
+        type: "skip"
+
+  - id: 5.2
+    text: "DISA Category Code II"
+    checks:
+      - id: V-242376
+        text: "The Kubernetes Controller Manager must use TLS 1.2, at a minimum | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242377
+        text: "The Kubernetes Scheduler must use TLS 1.2, at a minimum | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242378
+        text: "The Kubernetes API Server must use TLS 1.2, at a minimum | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242379
+        text: "The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242380
+        text: "The Kubernetes API Server must use TLS to protect the confidentiality of sensitive data during electronic dissemination | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242382
+        text: "The Kubernetes API Server must enable Node,RBAC as the authorization mode | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242384
+        text: "The Kubernetes Scheduler must have secure binding | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242385
+        text: "The Kubernetes Controller Manager must have secure binding | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242389
+        text: "The Kubernetes API server must have the secure port set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242401
+        text: "The Kubernetes API Server must have an audit policy set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242402
+        text: "The Kubernetes API Server must have an audit log path set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242403
+        text: "Kubernetes API Server must generate audit records | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242405
+        text: "The Kubernetes manifests must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242408
+        text: "The Kubernetes manifests must have least privileges | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242409
+        text: "Kubernetes Controller Manager must disable profiling | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242410
+        text: "The Kubernetes API Server must enforce PPS that adhere to PPSM CAL | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242411
+        text: "The Kubernetes Scheduler must enforce PPS that adhere to PPSM CAL | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242412
+        text: "The Kubernetes Controllers must enforce PPS that adhere to PPSM CAL | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242413
+        text: "The Kubernetes etcd must enforce PPS that adhere to PPSM CAL | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242418
+        text: "The Kubernetes API server must use approved cipher suites | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242419
+        text: "Kubernetes API Server must have the SSL Certificate Authority set | Component of GKE Control Plane"
+        type: "skip"
+
+
+      - id: V-242421
+        text: "Kubernetes Controller Manager must have the SSL Certificate Authority set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242422
+        text: "Kubernetes API Server must have a certificate for communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242423
+        text: "Kubernetes etcd must enable client authentication to secure service | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242424
+        text: "Kubernetes etcd must enable client authentication to secure service | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242425
+        text: "Kubernetes Kubelet must enable tls-cert-file for client authentication to secure service | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242426
+        text: "Kubernetes etcd must enable client authentication to secure service | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242427
+        text: "Kubernetes etcd must have a key file for secure communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242428
+        text: "Kubernetes etcd must have a certificate for communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242429
+        text: "Kubernetes etcd must have the SSL Certificate Authority set | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242430
+        text: "Kubernetes etcd must have a certificate for communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242431
+        text: "Kubernetes etcd must have a key file for secure communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242432
+        text: "Kubernetes etcd must have peer-cert-file set for secure communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242433
+        text: "Kubernetes etcd must have a peer-key-file set for secure communication | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242438
+        text: "Kubernetes API Server must configure timeouts to limit attack surface | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242444
+        text: "The Kubernetes component manifests must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242445
+        text: "The Kubernetes component etcd must be owned by etcd | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242446
+        text: "The Kubernetes conf files must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242447
+        text: "The Kubernetes Kube Proxy must have file permissions set to 644 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242448
+        text: "The Kubernetes Kube Proxy must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242449
+        text: "The Kubernetes Kubelet certificate authority file must have file permissions set to 644 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242450
+        text: "The Kubernetes Kubelet certificate authority must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242451
+        text: "The Kubernetes component PKI must be owned by root | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242459
+        text: "The Kubernetes etcd must have file permissions set to 644 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242460
+        text: "The Kubernetes admin.conf must have file permissions set to 644 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242466
+        text: "The Kubernetes PKI CRT must have file permissions set to 644 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242467
+        text: "The Kubernetes PKI keys must have file permissions set to 600 or more restrictive | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242468
+        text: "The Kubernetes API Server must prohibit communication using TLS version 1.0 and 1.1, and SSL 2.0 and 3.0 | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-245543
+        text: "Kubernetes API Server must disable token authentication to protect information in transit | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-245544
+        text: "Kubernetes endpoints must use approved organizational certificate and key pair to protect information in transit | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-254800
+        text: "Kubernetes must have a Pod Security Admission control file configured. | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-254801
+        text: "Kubernetes must enable PodSecurity admission controller on static pods and Kubelets. | Component of GKE Control Plane"
+        type: "skip"
+
+      - id: V-242394
+        text: "Kubernetes Worker Nodes must not have the sshd service enabled | Component of GKE Control Plane"
+        type: "skip"