mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-29 11:28:14 +00:00
Add new tests and clean up old tests.
This commit is contained in:
parent
d2fa9d35b6
commit
0933fa420b
93
check/data
93
check/data
@ -7,59 +7,42 @@ groups:
|
|||||||
- id: 1.1
|
- id: 1.1
|
||||||
text: "Kube-apiserver"
|
text: "Kube-apiserver"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.1.1
|
- id: 0
|
||||||
text: "Ensure that the --allow-privileged argument is set (Scored)"
|
text: "flag is set"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: "--allow-privileged"
|
||||||
flag: "--allow-privileged"
|
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.2
|
- id: 1
|
||||||
text: "Ensure that the --basic-auth argument is not set (Scored)"
|
text: "flag is not set"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_item:
|
test_item:
|
||||||
-
|
- flag: "--basic-auth"
|
||||||
flag: "--basic-auth"
|
|
||||||
set: false
|
set: false
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.3
|
- id: 2
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
text: "flag value is set to some value"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: "--insecure-port"
|
||||||
flag: "--insecure-port"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 3
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)"
|
text: "flag value is greater than or equal some number"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: "--audit-log-maxage"
|
||||||
flag: "--audit-log-maxage"
|
|
||||||
compare:
|
compare:
|
||||||
op: gte
|
op: gte
|
||||||
value: 30
|
value: 30
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 4
|
||||||
text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)"
|
text: "flag value is less than some number"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--max-backlog"
|
- flag: "--max-backlog"
|
||||||
@ -67,26 +50,19 @@ groups:
|
|||||||
op: lt
|
op: lt
|
||||||
value: 30
|
value: 30
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.6
|
- id: 5
|
||||||
text: "Ensure admission control does not include AlwaysAdmit (Scored)"
|
text: "flag value does not have some value"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: "--admission-control"
|
||||||
flag: "--admission-control"
|
|
||||||
compare:
|
compare:
|
||||||
op: nothave
|
op: nothave
|
||||||
value: AlwaysAdmit
|
value: AlwaysAdmit
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.7
|
- id: 6
|
||||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)"
|
text: "test AND binary operation"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
test_items:
|
test_items:
|
||||||
@ -94,17 +70,13 @@ groups:
|
|||||||
set: true
|
set: true
|
||||||
- flag: "--kubelet-clientkey"
|
- flag: "--kubelet-clientkey"
|
||||||
set: true
|
set: true
|
||||||
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.1.8
|
- id: 7
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
text: "test OR binary operation"
|
||||||
audit: "ps -ef | grep kube-apiserver | grep -v grep"
|
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
-
|
- flag: "--secure-port"
|
||||||
flag: "--secure-port"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 0
|
value: 0
|
||||||
@ -112,28 +84,13 @@ groups:
|
|||||||
-
|
-
|
||||||
flag: "--secure-port"
|
flag: "--secure-port"
|
||||||
set: false
|
set: false
|
||||||
remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port."
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 1.4.1
|
- id: 8
|
||||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
text: "test flag with arbitrary text"
|
||||||
audit: "stat -c %a /etc/kubernetes/apiserver"
|
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
set: true
|
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
|
|
||||||
scored: true
|
|
||||||
|
|
||||||
- id: 2.1.14
|
|
||||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
|
||||||
audit: "ps -ef | grep kubelet | grep -v grep"
|
|
||||||
tests:
|
|
||||||
test_items:
|
|
||||||
- flag: "KubeletClient"
|
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: true
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver"
|
|
||||||
scored: true
|
|
||||||
|
@ -16,6 +16,8 @@ package check
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -30,79 +32,66 @@ func init() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
panic("Failed reading test data: " + err.Error())
|
panic("Failed reading test data: " + err.Error())
|
||||||
}
|
}
|
||||||
controls, err = NewControls(MASTER, in)
|
|
||||||
|
// substitute variables in data file
|
||||||
|
user := os.Getenv("USER")
|
||||||
|
s := strings.Replace(string(in), "$user", user, -1)
|
||||||
|
|
||||||
|
controls, err = NewControls(MASTER, []byte(s))
|
||||||
|
// controls, err = NewControls(MASTER, in)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic("Failed creating test controls: " + err.Error())
|
panic("Failed creating test controls: " + err.Error())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestTestExecute(t *testing.T) {
|
func TestTestExecute(t *testing.T) {
|
||||||
|
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
*tests
|
*Check
|
||||||
testfor string
|
|
||||||
str string
|
str string
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[0].Tests,
|
controls.Groups[0].Checks[0],
|
||||||
"flag set",
|
|
||||||
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
|
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[1].Tests,
|
controls.Groups[0].Checks[1],
|
||||||
"flag not set",
|
|
||||||
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
|
"2:45 ../kubernetes/kube-apiserver --allow-privileged=false",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[2].Tests,
|
controls.Groups[0].Checks[2],
|
||||||
"flag and value set",
|
|
||||||
"niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
|
"niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[3].Tests,
|
controls.Groups[0].Checks[3],
|
||||||
"flag value greater than value",
|
|
||||||
"2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
|
"2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[4].Tests,
|
controls.Groups[0].Checks[4],
|
||||||
"flag value less than value",
|
|
||||||
"2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
|
"2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[5].Tests,
|
controls.Groups[0].Checks[5],
|
||||||
"flag value does not have",
|
|
||||||
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
|
"2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[6].Tests,
|
controls.Groups[0].Checks[6],
|
||||||
"AND multiple tests, all testitems pass",
|
|
||||||
"2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
"2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[7].Tests,
|
controls.Groups[0].Checks[7],
|
||||||
"OR multiple tests",
|
|
||||||
"2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
"2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
controls.Groups[0].Checks[8].Tests,
|
controls.Groups[0].Checks[8],
|
||||||
"text",
|
|
||||||
"644",
|
"644",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
controls.Groups[0].Checks[9].Tests,
|
|
||||||
"flag value is comma-separated",
|
|
||||||
"2:35 ../kubelet --features-gates=KubeletClient=true,KubeletServer=true",
|
|
||||||
},
|
|
||||||
{
|
|
||||||
controls.Groups[0].Checks[9].Tests,
|
|
||||||
"flag value is comma-separated",
|
|
||||||
"2:35 ../kubelet --features-gates=KubeletServer=true,KubeletClient=true",
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
res := c.tests.execute(c.str)
|
res := c.Tests.execute(c.str)
|
||||||
if !res {
|
if !res {
|
||||||
t.Errorf("%s, expected:%v, got:%v\n", c.testfor, true, res)
|
t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user