1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 01:18:12 +00:00

Merge pull request #32 from aquasecurity/issue-19-2

Issue 19, take 2
This commit is contained in:
Liz Rice 2017-08-08 22:26:22 +01:00 committed by GitHub
commit 0bbc867396
3 changed files with 91 additions and 9 deletions

View File

@ -479,19 +479,14 @@ groups:
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\"" parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
scored: true scored: true
# TODO: provide flag to WARN of manual tasks which we can't automate.
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)" text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: type: "manual"
test_items:
- flag: "requires manual intervention"
set: true
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider" choose aescbc as the encryption provider"
scored: true scored: true
- id: 1.2 - id: 1.2
text: "Scheduler" text: "Scheduler"
checks: checks:
@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>" KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true scored: true
# TODO: 1.3.6 is manual, provide way to WARN - id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
\"--feature-gates=RotateKubeletServerCertificate=true\""
scored: false
- id: 1.3.7 - id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@ -717,6 +718,20 @@ groups:
chmod 700 /var/lib/etcd/default.etcd" chmod 700 /var/lib/etcd/default.etcd"
scored: true scored: true
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
tests:
test_items:
- flag: "etcd:etcd"
set: true
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
ps -ef | grep etcd\n
Run the below command (based on the etcd data directory found above). For example,\n
chown etcd:etcd /var/lib/etcd/default.etcd"
scored: true
- id: 1.5 - id: 1.5
text: "etcd" text: "etcd"
checks: checks:
@ -859,3 +874,65 @@ groups:
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service." etcd service."
scored: false scored: false
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
scored: false

View File

@ -285,7 +285,6 @@ groups:
\nFor example, chown root:root $proxyconf" \nFor example, chown root:root $proxyconf"
scored: true scored: true
# TODO: provide flag to WARN about manual checks.
- id: 2.2.7 - id: 2.2.7
text: "Ensure that the certificate authorities file permissions are set to text: "Ensure that the certificate authorities file permissions are set to
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
@ -298,7 +297,6 @@ groups:
\nchmod 644 <filename>" \nchmod 644 <filename>"
scored: true scored: true
# TODO: provide flag to WARN about manual checks.
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root" text: "Ensure that the client certificate authorities file ownership is set to root:root"
audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi" audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"

View File

@ -61,6 +61,7 @@ type Check struct {
ID string `yaml:"id" json:"id"` ID string `yaml:"id" json:"id"`
Text string Text string
Audit string `json:"omit"` Audit string `json:"omit"`
Type string `json:"type"`
Commands []*exec.Cmd `json:"omit"` Commands []*exec.Cmd `json:"omit"`
Tests *tests `json:"omit"` Tests *tests `json:"omit"`
Set bool `json:"omit"` Set bool `json:"omit"`
@ -71,6 +72,12 @@ type Check struct {
// Run executes the audit commands specified in a check and outputs // Run executes the audit commands specified in a check and outputs
// the results. // the results.
func (c *Check) Run() { func (c *Check) Run() {
// If check type is manual, force result to WARN.
if c.Type == "manual" {
c.State = WARN
return
}
var out bytes.Buffer var out bytes.Buffer
var errmsgs string var errmsgs string