mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-13 19:29:02 +00:00
commit
0bbc867396
@ -479,19 +479,14 @@ groups:
|
||||
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
|
||||
scored: true
|
||||
|
||||
# TODO: provide flag to WARN of manual tasks which we can't automate.
|
||||
- id: 1.1.35
|
||||
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "requires manual intervention"
|
||||
set: true
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||
choose aescbc as the encryption provider"
|
||||
scored: true
|
||||
|
||||
|
||||
- id: 1.2
|
||||
text: "Scheduler"
|
||||
checks:
|
||||
@ -573,7 +568,13 @@ groups:
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
|
||||
scored: true
|
||||
|
||||
# TODO: 1.3.6 is manual, provide way to WARN
|
||||
- id: 1.3.6
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
||||
\"--feature-gates=RotateKubeletServerCertificate=true\""
|
||||
scored: false
|
||||
|
||||
- id: 1.3.7
|
||||
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||
@ -717,6 +718,20 @@ groups:
|
||||
chmod 700 /var/lib/etcd/default.etcd"
|
||||
scored: true
|
||||
|
||||
- id: 1.4.12
|
||||
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
||||
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "etcd:etcd"
|
||||
set: true
|
||||
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
|
||||
from the below command:\n
|
||||
ps -ef | grep etcd\n
|
||||
Run the below command (based on the etcd data directory found above). For example,\n
|
||||
chown etcd:etcd /var/lib/etcd/default.etcd"
|
||||
scored: true
|
||||
|
||||
- id: 1.5
|
||||
text: "etcd"
|
||||
checks:
|
||||
@ -859,3 +874,65 @@ groups:
|
||||
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
|
||||
etcd service."
|
||||
scored: false
|
||||
|
||||
- id: 1.6
|
||||
text: "General Security Primitives"
|
||||
checks:
|
||||
- id: 1.6.1
|
||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
||||
scored: false
|
||||
|
||||
- id: 1.6.2
|
||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
||||
suggested Pod Security Policies for your environment."
|
||||
scored: false
|
||||
|
||||
- id: 1.6.3
|
||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
||||
need them."
|
||||
scored: false
|
||||
|
||||
- id: 1.6.4
|
||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
||||
scored: false
|
||||
|
||||
- id: 1.6.5
|
||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
||||
gates=AllAlpha=true\" argument.\n
|
||||
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
|
||||
parameter to \"--feature-gates=AllAlpha=true\"
|
||||
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
|
||||
scored: false
|
||||
|
||||
- id: 1.6.6
|
||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||
Containers."
|
||||
scored: false
|
||||
|
||||
- id: 1.6.7
|
||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
||||
scored: false
|
||||
|
||||
- id: 1.6.8
|
||||
text: "Configure Network policies as appropriate (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
|
||||
scored: false
|
||||
|
||||
|
@ -285,7 +285,6 @@ groups:
|
||||
\nFor example, chown root:root $proxyconf"
|
||||
scored: true
|
||||
|
||||
# TODO: provide flag to WARN about manual checks.
|
||||
- id: 2.2.7
|
||||
text: "Ensure that the certificate authorities file permissions are set to
|
||||
644 or more restrictive (Scored)"
|
||||
@ -298,7 +297,6 @@ groups:
|
||||
\nchmod 644 <filename>"
|
||||
scored: true
|
||||
|
||||
# TODO: provide flag to WARN about manual checks.
|
||||
- id: 2.2.8
|
||||
text: "Ensure that the client certificate authorities file ownership is set to root:root"
|
||||
audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"
|
||||
|
@ -61,6 +61,7 @@ type Check struct {
|
||||
ID string `yaml:"id" json:"id"`
|
||||
Text string
|
||||
Audit string `json:"omit"`
|
||||
Type string `json:"type"`
|
||||
Commands []*exec.Cmd `json:"omit"`
|
||||
Tests *tests `json:"omit"`
|
||||
Set bool `json:"omit"`
|
||||
@ -71,6 +72,12 @@ type Check struct {
|
||||
// Run executes the audit commands specified in a check and outputs
|
||||
// the results.
|
||||
func (c *Check) Run() {
|
||||
// If check type is manual, force result to WARN.
|
||||
if c.Type == "manual" {
|
||||
c.State = WARN
|
||||
return
|
||||
}
|
||||
|
||||
var out bytes.Buffer
|
||||
var errmsgs string
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user