1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-18 12:48:08 +00:00
kube-bench/check/data

290 lines
6.6 KiB
Plaintext
Raw Normal View History

2017-05-26 09:25:29 +00:00
---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
text: "Kube-apiserver"
checks:
2017-08-12 18:54:33 +00:00
- id: 0
text: "flag is set"
2017-05-26 09:25:29 +00:00
tests:
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--allow-privileged"
2017-05-26 09:25:29 +00:00
set: true
2017-08-12 18:54:33 +00:00
- id: 1
text: "flag is not set"
2017-05-26 09:25:29 +00:00
tests:
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--basic-auth"
2017-05-26 09:25:29 +00:00
set: false
2017-08-12 18:54:33 +00:00
- id: 2
text: "flag value is set to some value"
2017-05-26 09:25:29 +00:00
tests:
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--insecure-port"
2017-05-26 09:25:29 +00:00
compare:
op: eq
value: 0
set: true
2017-08-12 18:54:33 +00:00
- id: 3
text: "flag value is greater than or equal some number"
2017-05-26 09:25:29 +00:00
tests:
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--audit-log-maxage"
2017-05-26 09:25:29 +00:00
compare:
op: gte
value: 30
set: true
2017-08-12 18:54:33 +00:00
- id: 4
text: "flag value is less than some number"
2017-05-26 09:25:29 +00:00
tests:
test_items:
- flag: "--max-backlog"
compare:
op: lt
value: 30
set: true
2017-08-12 18:54:33 +00:00
- id: 5
text: "flag value does not have some value"
2017-05-26 09:25:29 +00:00
tests:
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--admission-control"
2017-05-26 09:25:29 +00:00
compare:
op: nothave
value: AlwaysAdmit
set: true
2017-08-12 18:54:33 +00:00
- id: 6
text: "test AND binary operation"
2017-05-26 09:25:29 +00:00
tests:
bin_op: and
test_items:
- flag: "--kubelet-client-certificate"
set: true
- flag: "--kubelet-clientkey"
set: true
2017-08-12 18:54:33 +00:00
- id: 7
text: "test OR binary operation"
2017-05-26 09:25:29 +00:00
tests:
bin_op: or
test_items:
2017-08-12 18:54:33 +00:00
- flag: "--secure-port"
2017-05-26 09:25:29 +00:00
compare:
op: eq
value: 0
set: true
-
flag: "--secure-port"
set: false
2017-08-12 18:54:33 +00:00
- id: 8
text: "test flag with arbitrary text"
2017-05-26 09:25:29 +00:00
tests:
test_items:
- flag: "644"
compare:
op: eq
2017-08-12 18:54:33 +00:00
value: "644"
set: true
- id: 9
text: "test permissions"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
2017-09-13 14:32:33 +00:00
- id: 10
text: "flag value includes some value in a comma-separated list, value is last in list"
tests:
test_items:
- flag: "--admission-control"
compare:
op: has
value: RBAC
set: true
- id: 11
text: "flag value includes some value in a comma-separated list, value is first in list"
tests:
test_items:
- flag: "--admission-control"
compare:
op: has
value: WebHook
set: true
- id: 12
text: "flag value includes some value in a comma-separated list, value middle of list"
tests:
test_items:
- flag: "--admission-control"
compare:
op: has
value: Something
set: true
- id: 13
text: "flag value includes some value in a comma-separated list, value only one in list"
tests:
test_items:
- flag: "--admission-control"
compare:
op: has
value: Something
set: true
- id: 14
text: "jsonpath correct value on field"
tests:
test_items:
- jsonpath: "{.readOnlyPort}"
compare:
op: eq
value: 15000
set: true
- jsonpath: "{.readOnlyPort}"
compare:
op: gte
value: 15000
set: true
- jsonpath: "{.readOnlyPort}"
compare:
op: lte
value: 15000
set: true
- id: 15
text: "jsonpath correct case-sensitive value on string field"
tests:
test_items:
- jsonpath: "{.stringValue}"
compare:
op: noteq
value: "None"
set: true
- jsonpath: "{.stringValue}"
compare:
op: noteq
value: "webhook,Something,RBAC"
set: true
- jsonpath: "{.stringValue}"
compare:
op: eq
value: "WebHook,Something,RBAC"
set: true
- id: 16
text: "jsonpath correct value on boolean field"
tests:
test_items:
- jsonpath: "{.trueValue}"
compare:
op: noteq
value: somethingElse
set: true
- jsonpath: "{.trueValue}"
compare:
op: noteq
value: false
set: true
- jsonpath: "{.trueValue}"
compare:
op: eq
value: true
set: true
- id: 17
text: "jsonpath field absent"
tests:
test_items:
- jsonpath: "{.notARealField}"
set: false
- id: 18
text: "jsonpath correct value on nested field"
tests:
test_items:
- jsonpath: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 19
text: "yamlpath correct value on field"
tests:
test_items:
- yamlpath: "{.readOnlyPort}"
compare:
op: gt
value: 14999
set: true
- id: 20
text: "yamlpath field absent"
tests:
test_items:
- yamlpath: "{.fieldThatIsUnset}"
set: false
2017-09-13 14:32:33 +00:00
- id: 21
text: "yamlpath correct value on nested field"
tests:
test_items:
- yamlpath: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 22
text: "jsonpath on invalid json"
tests:
test_items:
- jsonpath: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true
- id: 23
text: "jsonpath with broken expression"
tests:
test_items:
- jsonpath: "{.missingClosingBrace"
set: true
- id: 24
text: "yamlpath on invalid yaml"
tests:
test_items:
- yamlpath: "{.authentication.anonymous.enabled}"
compare:
op: eq
value: "false"
set: true