arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528)

Browse Source 
* fix wrong use of flag in test_items found in 4.13 and 4.14

Fixes #1491

* fix for more benchmarks

* update integration test

* fix test
This commit is contained in:
Huang Huang 2023-12-03 15:06:35 +08:00 committed by GitHub
parent 92a18e7dfd
commit 0c553cd2f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 13 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cfg/ack-1.0/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.20/node.yaml
View File

@ -46,8 +46,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -61,8 +59,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.23/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.24-microk8s/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.24/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.5/node.yaml
View File

@ -48,8 +48,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -64,8 +62,6 @@ groups:
test_items: test_items:
- flag: root:root - flag: root:root
set: true set: true
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.7/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/cis-1.8/node.yaml
View File

@ -45,8 +45,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "600" value: "600"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -60,8 +58,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/k3s-cis-1.23/node.yaml
View File

@ -47,8 +47,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -62,8 +60,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/rke-cis-1.23/node.yaml
View File

@ -46,8 +46,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -61,8 +59,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

4
cfg/rke2-cis-1.23/node.yaml
View File

@ -48,8 +48,6 @@ groups:
compare: compare:
op: bitmask op: bitmask
value: "644" value: "644"
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, For example,
@ -63,8 +61,6 @@ groups:
bin_op: or bin_op: or
test_items: test_items:
- flag: root:root - flag: root:root
- flag: "$proxykubeconfig"
set: false
remediation: | remediation: |
Run the below command (based on the file location on your system) on the each worker node. Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root $proxykubeconfig For example, chown root:root $proxykubeconfig

19
integration/testdata/Expected_output.data vendored
View File

@ -221,8 +221,8 @@ minimum.
[INFO] 4.1 Worker Node Configuration Files [INFO] 4.1 Worker Node Configuration Files
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated) [PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual) [WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual) [WARN] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated) [PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated) [PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual) [PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
@ -245,6 +245,13 @@ minimum.
[WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual) [WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
== Remediations node == == Remediations node ==
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
For example,
chmod 644 /etc/kubernetes/proxy.conf
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true. 4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@ -287,9 +294,9 @@ systemctl restart kubelet.service
== Summary node == == Summary node ==
19 checks PASS 17 checks PASS
1 checks FAIL 1 checks FAIL
3 checks WARN 5 checks WARN
0 checks INFO 0 checks INFO
[INFO] 5 Kubernetes Policies [INFO] 5 Kubernetes Policies
@ -419,8 +426,8 @@ resources and that all new resources are created in a specific namespace.
0 checks INFO 0 checks INFO
== Summary total == == Summary total ==
69 checks PASS 67 checks PASS
11 checks FAIL 11 checks FAIL
43 checks WARN 45 checks WARN
0 checks INFO 0 checks INFO