1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-26 09:58:14 +00:00

Fix repetitive flags in some ocp-3.11 tests (#462)

* fix flag repetition in ocp-3.11/node.yaml

* fix flag repetition in ocp-3.11/master.yaml
This commit is contained in:
Prem Kumar 2019-10-26 05:42:56 +05:30 committed by Roberto Rojas
parent b0abc74350
commit 01ee110ac4
2 changed files with 34 additions and 34 deletions

View File

@ -50,17 +50,17 @@ groups:
op: eq op: eq
value: "kubeletClientInfo:" value: "kubeletClientInfo:"
set: true set: true
- flag: "ca: ca-bundle.crt" - flag: "ca"
compare: compare:
op: has op: has
value: "ca-bundle.crt" value: "ca-bundle.crt"
set: true set: true
- flag: "certFile: master.kubelet-client.crt" - flag: "certFile"
compare: compare:
op: has op: has
value: "master.kubelet-client.crt" value: "master.kubelet-client.crt"
set: true set: true
- flag: "keyFile: master.kubelet-client.key" - flag: "keyFile"
compare: compare:
op: has op: has
value: "master.kubelet-client.key" value: "master.kubelet-client.key"
@ -185,7 +185,7 @@ groups:
audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml" audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "disable: false" - flag: "disable"
compare: compare:
op: has op: has
value: "false" value: "false"
@ -236,7 +236,7 @@ groups:
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml" audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "enabled: true" - flag: "enabled"
compare: compare:
op: has op: has
value: "true" value: "true"
@ -387,15 +387,15 @@ groups:
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "keyFile: master.kubelet-client.key" - flag: "keyFile"
compare: compare:
op: has op: has
value: "keyFile: master.kubelet-client.key" value: "master.kubelet-client.key"
set: true set: true
- flag: "certFile: master.kubelet-client.crt" - flag: "certFile"
compare: compare:
op: has op: has
value: "certFile: master.kubelet-client.crt" value: "master.kubelet-client.crt"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
@ -424,10 +424,10 @@ groups:
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "privateKeyFile: serviceaccounts.private.key" - flag: "privateKeyFile"
compare: compare:
op: has op: has
value: "privateKeyFile: serviceaccounts.private.key" value: "serviceaccounts.private.key"
set: true set: true
- flag: "serviceaccounts.public.key" - flag: "serviceaccounts.public.key"
compare: compare:
@ -464,15 +464,15 @@ groups:
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "certFile: master.etcd-client.crt" - flag: "certFile"
compare: compare:
op: has op: has
value: "certFile: master.etcd-client.crt" value: "master.etcd-client.crt"
set: true set: true
- flag: "keyFile: master.etcd-client.key" - flag: "keyFile"
compare: compare:
op: has op: has
value: "keyFile: master.etcd-client.key" value: "master.etcd-client.key"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
@ -492,10 +492,10 @@ groups:
test_items: test_items:
- flag: "ServiceAccount" - flag: "ServiceAccount"
set: false set: false
- flag: "disable: false" - flag: "disable"
compare: compare:
op: has op: has
value: "disable: false" value: "false"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
@ -514,15 +514,15 @@ groups:
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
- flag: "certFile: master.server.crt" - flag: "certFile"
compare: compare:
op: has op: has
value: "certFile: master.server.crt" value: "master.server.crt"
set: true set: true
- flag: "keyFile: master.server.key" - flag: "keyFile"
compare: compare:
op: has op: has
value: "keyFile: master.server.key" value: "master.server.key"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
@ -562,10 +562,10 @@ groups:
audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml" audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "ca: master.etcd-ca.crt" - flag: "ca"
compare: compare:
op: has op: has
value: "ca: master.etcd-ca.crt" value: "master.etcd-ca.crt"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
@ -589,10 +589,10 @@ groups:
test_items: test_items:
- flag: "NodeRestriction" - flag: "NodeRestriction"
set: false set: false
- flag: "disable: false" - flag: "disable"
compare: compare:
op: has op: has
value: "disable: false" value: "false"
set: true set: true
remediation: | remediation: |
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo. Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
@ -639,10 +639,10 @@ groups:
audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml" audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml"
tests: tests:
test_items: test_items:
- flag: "disable: false" - flag: "disable"
compare: compare:
op: has op: has
value: "disable: false" value: "false"
set: true set: true
remediation: | remediation: |
Follow the documentation to enable the EventRateLimit plugin. Follow the documentation to enable the EventRateLimit plugin.
@ -775,7 +775,7 @@ groups:
value: "/etc/origin/master/ca-bundle.crt" value: "/etc/origin/master/ca-bundle.crt"
set: true set: true
test_items: test_items:
- flag: "masterCA: ca-bundle.crt" - flag: "masterCA"
compare: compare:
op: has op: has
value: "ca-bundle.crt" value: "ca-bundle.crt"

View File

@ -25,7 +25,7 @@ groups:
test_items: test_items:
- flag: "authorization-mode" - flag: "authorization-mode"
set: false set: false
- flag: "authorization-mode: Webhook" - flag: "authorization-mode"
compare: compare:
op: has op: has
value: "Webhook" value: "Webhook"
@ -59,7 +59,7 @@ groups:
test_items: test_items:
- flag: "read-only-port" - flag: "read-only-port"
set: false set: false
- flag: "read-only-port: 0" - flag: "read-only-port"
compare: compare:
op: has op: has
value: "0" value: "0"
@ -100,7 +100,7 @@ groups:
test_items: test_items:
- flag: "make-iptables-util-chains" - flag: "make-iptables-util-chains"
set: false set: false
- flag: "make-iptables-util-chains: true" - flag: "make-iptables-util-chains"
compare: compare:
op: has op: has
value: "true" value: "true"
@ -115,7 +115,7 @@ groups:
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml" audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
tests: tests:
test_items: test_items:
- flag: "keep-terminated-pod-volumes: false" - flag: "keep-terminated-pod-volumes"
compare: compare:
op: has op: has
value: "false" value: "false"
@ -137,7 +137,7 @@ groups:
test_items: test_items:
- flag: "event-qps" - flag: "event-qps"
set: false set: false
- flag: "event-qps: 0" - flag: "event-qps"
compare: compare:
op: has op: has
value: "0" value: "0"
@ -169,7 +169,7 @@ groups:
test_items: test_items:
- flag: "cadvisor-port" - flag: "cadvisor-port"
set: false set: false
- flag: "cadvisor-port: 0" - flag: "cadvisor-port"
compare: compare:
op: has op: has
value: "0" value: "0"