arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-13 19:29:02 +00:00
Code Issues Releases Wiki Activity

Merge pull request #32 from aquasecurity/issue-19-2

Browse Source 
Issue 19, take 2
This commit is contained in:
Liz Rice 2017-08-08 22:26:22 +01:00 committed by GitHub
commit 0bbc867396
3 changed files with 91 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
cfg/master.yaml
View File

@ -479,19 +479,14 @@ groups:
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
scored: true
# TODO: provide flag to WARN of manual tasks which we can't automate.
- id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "requires manual intervention"
set: true
type: "manual"
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider"
scored: true
- id: 1.2
text: "Scheduler"
checks:
@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true
# TODO: 1.3.6 is manual, provide way to WARN
- id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
\"--feature-gates=RotateKubeletServerCertificate=true\""
scored: false
- id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@ -717,6 +718,20 @@ groups:
chmod 700 /var/lib/etcd/default.etcd"
scored: true
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
tests:
test_items:
- flag: "etcd:etcd"
set: true
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
ps -ef | grep etcd\n
Run the below command (based on the etcd data directory found above). For example,\n
chown etcd:etcd /var/lib/etcd/default.etcd"
scored: true
- id: 1.5
text: "etcd"
checks:
@ -859,3 +874,65 @@ groups:
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service."
scored: false
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
scored: false

2
cfg/node.yaml
View File

@ -285,7 +285,6 @@ groups:
\nFor example, chown root:root $proxyconf"
scored: true
# TODO: provide flag to WARN about manual checks.
- id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)"
@ -298,7 +297,6 @@ groups:
\nchmod 644 <filename>"
scored: true
# TODO: provide flag to WARN about manual checks.
- id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"

7
check/check.go
View File

@ -61,6 +61,7 @@ type Check struct {
ID string `yaml:"id" json:"id"`
Text string
Audit string `json:"omit"`
Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"`
Set bool `json:"omit"`
@ -71,6 +72,12 @@ type Check struct {
// Run executes the audit commands specified in a check and outputs
// the results.
func (c *Check) Run() {
// If check type is manual, force result to WARN.
if c.Type == "manual" {
c.State = WARN
return
}
var out bytes.Buffer
var errmsgs string