mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
fix wrong use of flag in test_items found in 4.13 and 4.14 (#1528)
* fix wrong use of flag in test_items found in 4.13 and 4.14 Fixes #1491 * fix for more benchmarks * update integration test * fix test
This commit is contained in:
parent
92a18e7dfd
commit
0c553cd2f6
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -46,8 +46,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -61,8 +59,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "600"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "600"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -48,8 +48,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -64,8 +62,6 @@ groups:
|
||||
test_items:
|
||||
- flag: root:root
|
||||
set: true
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "600"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -45,8 +45,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "600"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -60,8 +58,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -47,8 +47,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -62,8 +60,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -46,8 +46,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -61,8 +59,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -48,8 +48,6 @@ groups:
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -63,8 +61,6 @@ groups:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
19
integration/testdata/Expected_output.data
vendored
19
integration/testdata/Expected_output.data
vendored
@ -221,8 +221,8 @@ minimum.
|
||||
[INFO] 4.1 Worker Node Configuration Files
|
||||
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
|
||||
[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[PASS] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
|
||||
[WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[WARN] 4.1.4 If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automated)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
|
||||
@ -245,6 +245,13 @@ minimum.
|
||||
[WARN] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
|
||||
|
||||
== Remediations node ==
|
||||
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -287,9 +294,9 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary node ==
|
||||
19 checks PASS
|
||||
17 checks PASS
|
||||
1 checks FAIL
|
||||
3 checks WARN
|
||||
5 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
[INFO] 5 Kubernetes Policies
|
||||
@ -419,8 +426,8 @@ resources and that all new resources are created in a specific namespace.
|
||||
0 checks INFO
|
||||
|
||||
== Summary total ==
|
||||
69 checks PASS
|
||||
67 checks PASS
|
||||
11 checks FAIL
|
||||
43 checks WARN
|
||||
45 checks WARN
|
||||
0 checks INFO
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user