mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-26 09:58:14 +00:00
Fix repetitive flags in some ocp-3.11 tests (#462)
* fix flag repetition in ocp-3.11/node.yaml * fix flag repetition in ocp-3.11/master.yaml
This commit is contained in:
parent
b0abc74350
commit
01ee110ac4
@ -50,17 +50,17 @@ groups:
|
|||||||
op: eq
|
op: eq
|
||||||
value: "kubeletClientInfo:"
|
value: "kubeletClientInfo:"
|
||||||
set: true
|
set: true
|
||||||
- flag: "ca: ca-bundle.crt"
|
- flag: "ca"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "ca-bundle.crt"
|
value: "ca-bundle.crt"
|
||||||
set: true
|
set: true
|
||||||
- flag: "certFile: master.kubelet-client.crt"
|
- flag: "certFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "master.kubelet-client.crt"
|
value: "master.kubelet-client.crt"
|
||||||
set: true
|
set: true
|
||||||
- flag: "keyFile: master.kubelet-client.key"
|
- flag: "keyFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "master.kubelet-client.key"
|
value: "master.kubelet-client.key"
|
||||||
@ -185,7 +185,7 @@ groups:
|
|||||||
audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml"
|
audit: "grep -A4 AlwaysPullImages /etc/origin/master/master-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable: false"
|
- flag: "disable"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "false"
|
value: "false"
|
||||||
@ -236,7 +236,7 @@ groups:
|
|||||||
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
|
audit: "grep -A5 auditConfig /etc/origin/master/master-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "enabled: true"
|
- flag: "enabled"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "true"
|
value: "true"
|
||||||
@ -387,15 +387,15 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "keyFile: master.kubelet-client.key"
|
- flag: "keyFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "keyFile: master.kubelet-client.key"
|
value: "master.kubelet-client.key"
|
||||||
set: true
|
set: true
|
||||||
- flag: "certFile: master.kubelet-client.crt"
|
- flag: "certFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "certFile: master.kubelet-client.crt"
|
value: "master.kubelet-client.crt"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and add the following
|
||||||
@ -424,10 +424,10 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "privateKeyFile: serviceaccounts.private.key"
|
- flag: "privateKeyFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "privateKeyFile: serviceaccounts.private.key"
|
value: "serviceaccounts.private.key"
|
||||||
set: true
|
set: true
|
||||||
- flag: "serviceaccounts.public.key"
|
- flag: "serviceaccounts.public.key"
|
||||||
compare:
|
compare:
|
||||||
@ -464,15 +464,15 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "certFile: master.etcd-client.crt"
|
- flag: "certFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "certFile: master.etcd-client.crt"
|
value: "master.etcd-client.crt"
|
||||||
set: true
|
set: true
|
||||||
- flag: "keyFile: master.etcd-client.key"
|
- flag: "keyFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "keyFile: master.etcd-client.key"
|
value: "master.etcd-client.key"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile
|
||||||
@ -492,10 +492,10 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "ServiceAccount"
|
- flag: "ServiceAccount"
|
||||||
set: false
|
set: false
|
||||||
- flag: "disable: false"
|
- flag: "disable"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "disable: false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable ServiceAccount
|
||||||
@ -514,15 +514,15 @@ groups:
|
|||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "certFile: master.server.crt"
|
- flag: "certFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "certFile: master.server.crt"
|
value: "master.server.crt"
|
||||||
set: true
|
set: true
|
||||||
- flag: "keyFile: master.server.key"
|
- flag: "keyFile"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "keyFile: master.server.key"
|
value: "master.server.key"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set keyFile and certFile under servingInfo.
|
||||||
@ -562,10 +562,10 @@ groups:
|
|||||||
audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
|
audit: "grep -A3 etcdClientInfo /etc/origin/master/master-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "ca: master.etcd-ca.crt"
|
- flag: "ca"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "ca: master.etcd-ca.crt"
|
value: "master.etcd-ca.crt"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and set ca under etcdClientInfo.
|
||||||
@ -589,10 +589,10 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "NodeRestriction"
|
- flag: "NodeRestriction"
|
||||||
set: false
|
set: false
|
||||||
- flag: "disable: false"
|
- flag: "disable"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "disable: false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
|
Edit the Openshift master config file /etc/origin/master/master-config.yaml and enable NodeRestriction ca under etcdClientInfo.
|
||||||
@ -639,10 +639,10 @@ groups:
|
|||||||
audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml"
|
audit: "grep -A4 EventRateLimit /etc/origin/master/master-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "disable: false"
|
- flag: "disable"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "disable: false"
|
value: "false"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation to enable the EventRateLimit plugin.
|
Follow the documentation to enable the EventRateLimit plugin.
|
||||||
@ -775,7 +775,7 @@ groups:
|
|||||||
value: "/etc/origin/master/ca-bundle.crt"
|
value: "/etc/origin/master/ca-bundle.crt"
|
||||||
set: true
|
set: true
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "masterCA: ca-bundle.crt"
|
- flag: "masterCA"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "ca-bundle.crt"
|
value: "ca-bundle.crt"
|
||||||
|
@ -25,7 +25,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "authorization-mode"
|
- flag: "authorization-mode"
|
||||||
set: false
|
set: false
|
||||||
- flag: "authorization-mode: Webhook"
|
- flag: "authorization-mode"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "Webhook"
|
value: "Webhook"
|
||||||
@ -59,7 +59,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "read-only-port"
|
- flag: "read-only-port"
|
||||||
set: false
|
set: false
|
||||||
- flag: "read-only-port: 0"
|
- flag: "read-only-port"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
@ -100,7 +100,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "make-iptables-util-chains"
|
- flag: "make-iptables-util-chains"
|
||||||
set: false
|
set: false
|
||||||
- flag: "make-iptables-util-chains: true"
|
- flag: "make-iptables-util-chains"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "true"
|
value: "true"
|
||||||
@ -115,7 +115,7 @@ groups:
|
|||||||
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "keep-terminated-pod-volumes: false"
|
- flag: "keep-terminated-pod-volumes"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "false"
|
value: "false"
|
||||||
@ -137,7 +137,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "event-qps"
|
- flag: "event-qps"
|
||||||
set: false
|
set: false
|
||||||
- flag: "event-qps: 0"
|
- flag: "event-qps"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
@ -169,7 +169,7 @@ groups:
|
|||||||
test_items:
|
test_items:
|
||||||
- flag: "cadvisor-port"
|
- flag: "cadvisor-port"
|
||||||
set: false
|
set: false
|
||||||
- flag: "cadvisor-port: 0"
|
- flag: "cadvisor-port"
|
||||||
compare:
|
compare:
|
||||||
op: has
|
op: has
|
||||||
value: "0"
|
value: "0"
|
||||||
|
Loading…
Reference in New Issue
Block a user