arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-01-13 17:21:03 +00:00
Code Issues Releases Wiki Activity

Fixes issue #501: specifying absolute path for both ps and cat (#508)

Browse Source 
* fixes issue #501

* specify abolute path for ps and cat
This commit is contained in:
Roberto Rojas 2019-11-01 09:10:52 -04:00 committed by Liz Rice
parent 91bd47f296
commit 13fe1cdfb8
5 changed files with 168 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
cfg/1.11/master.yaml
View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -26,7 +26,7 @@ groups:
- id: 1.1.2 - id: 1.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" text: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--basic-auth-file" - flag: "--basic-auth-file"
@ -40,7 +40,7 @@ groups:
- id: 1.1.3 - id: 1.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)" text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-allow-any-token" - flag: "--insecure-allow-any-token"
@ -53,7 +53,7 @@ groups:
- id: 1.1.4 - id: 1.1.4
text: "Ensure that the --kubelet-https argument is set to true (Scored)" text: "Ensure that the --kubelet-https argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -71,7 +71,7 @@ groups:
- id: 1.1.5 - id: 1.1.5
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-bind-address" - flag: "--insecure-bind-address"
@ -84,7 +84,7 @@ groups:
- id: 1.1.6 - id: 1.1.6
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-port" - flag: "--insecure-port"
@ -100,7 +100,7 @@ groups:
- id: 1.1.7 - id: 1.1.7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -119,7 +119,7 @@ groups:
- id: 1.1.8 - id: 1.1.8
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -135,7 +135,7 @@ groups:
- id: 1.1.9 - id: 1.1.9
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--repair-malformed-updates" - flag: "--repair-malformed-updates"
@ -151,7 +151,7 @@ groups:
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -170,7 +170,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -187,7 +187,7 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)" text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -204,7 +204,7 @@ groups:
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)" text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -221,7 +221,7 @@ groups:
- id: 1.1.14 - id: 1.1.14
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -241,7 +241,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-path" - flag: "--audit-log-path"
@ -255,7 +255,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxage" - flag: "--audit-log-maxage"
@ -271,7 +271,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxbackup" - flag: "--audit-log-maxbackup"
@ -288,7 +288,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxsize" - flag: "--audit-log-maxsize"
@ -305,7 +305,7 @@ groups:
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -322,7 +322,7 @@ groups:
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the --token-auth-file parameter is not set (Scored)" text: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--token-auth-file" - flag: "--token-auth-file"
@ -336,7 +336,7 @@ groups:
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--kubelet-certificate-authority" - flag: "--kubelet-certificate-authority"
@ -351,7 +351,7 @@ groups:
- id: 1.1.22 - id: 1.1.22
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -370,7 +370,7 @@ groups:
- id: 1.1.23 - id: 1.1.23
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--service-account-lookup" - flag: "--service-account-lookup"
@ -386,7 +386,7 @@ groups:
- id: 1.1.24 - id: 1.1.24
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -405,7 +405,7 @@ groups:
- id: 1.1.25 - id: 1.1.25
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--service-account-key-file" - flag: "--service-account-key-file"
@ -420,7 +420,7 @@ groups:
- id: 1.1.26 - id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)" appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -439,7 +439,7 @@ groups:
- id: 1.1.27 - id: 1.1.27
text: "Ensure that the admission control plugin ServiceAccount is set(Scored)" text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -461,7 +461,7 @@ groups:
- id: 1.1.28 - id: 1.1.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate (Scored)" as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -480,7 +480,7 @@ groups:
- id: 1.1.29 - id: 1.1.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
@ -494,7 +494,7 @@ groups:
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: "--tls-cipher-suites"
@ -510,7 +510,7 @@ groups:
- id: 1.1.31 - id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--etcd-cafile" - flag: "--etcd-cafile"
@ -525,7 +525,7 @@ groups:
- id: 1.1.32 - id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)" text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -542,7 +542,7 @@ groups:
- id: 1.1.33 - id: 1.1.33
text: "Ensure that the admission control plugin NodeRestriction is set (Scored)" text: "Ensure that the admission control plugin NodeRestriction is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -561,7 +561,7 @@ groups:
- id: 1.1.34 - id: 1.1.34
text: "Ensure that the --experimental-encryption-provider-config argument is text: "Ensure that the --experimental-encryption-provider-config argument is
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--experimental-encryption-provider-config" - flag: "--experimental-encryption-provider-config"
@ -576,7 +576,7 @@ groups:
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)" text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -597,7 +597,7 @@ groups:
- id: 1.1.36 - id: 1.1.36
text: "Ensure that the admission control plugin EventRateLimit is set (Scored)" text: "Ensure that the admission control plugin EventRateLimit is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -615,7 +615,7 @@ groups:
- id: 1.1.37a - id: 1.1.37a
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -635,7 +635,7 @@ groups:
- id: 1.1.37b - id: 1.1.37b
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-policy-file" - flag: "--audit-policy-file"
@ -652,7 +652,7 @@ groups:
- id: 1.1.38 - id: 1.1.38
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -668,7 +668,7 @@ groups:
- id: 1.1.39 - id: 1.1.39
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers ( Not Scored)" text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers ( Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: "--tls-cipher-suites"
@ -687,7 +687,7 @@ groups:
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -703,7 +703,7 @@ groups:
- id: 1.2.2 - id: 1.2.2
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -725,7 +725,7 @@ groups:
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--terminated-pod-gc-threshold" - flag: "--terminated-pod-gc-threshold"
@ -738,7 +738,7 @@ groups:
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -754,7 +754,7 @@ groups:
- id: 1.3.3 - id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--use-service-account-credentials" - flag: "--use-service-account-credentials"
@ -770,7 +770,7 @@ groups:
- id: 1.3.4 - id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--service-account-private-key-file" - flag: "--service-account-private-key-file"
@ -784,7 +784,7 @@ groups:
- id: 1.3.5 - id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--root-ca-file" - flag: "--root-ca-file"
@ -798,7 +798,7 @@ groups:
- id: 1.3.6 - id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--feature-gates" - flag: "--feature-gates"
@ -815,7 +815,7 @@ groups:
- id: 1.3.7 - id: 1.3.7
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1205,7 +1205,7 @@ groups:
checks: checks:
- id: 1.5.1 - id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--cert-file" - flag: "--cert-file"
@ -1222,7 +1222,7 @@ groups:
- id: 1.5.2 - id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
@ -1238,7 +1238,7 @@ groups:
- id: 1.5.3 - id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" text: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1257,7 +1257,7 @@ groups:
- id: 1.5.4 - id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -1275,7 +1275,7 @@ groups:
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--peer-client-cert-auth" - flag: "--peer-client-cert-auth"
@ -1291,7 +1291,7 @@ groups:
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1310,7 +1310,7 @@ groups:
- id: 1.5.7 - id: 1.5.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
type: "manual" type: "manual"
tests: tests:
test_items: test_items:

58
cfg/1.11/node.yaml
View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: Ensure that the --allow-privileged argument is set to false (Scored) text: Ensure that the --allow-privileged argument is set to false (Scored)
audit: "ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
- flag: --allow-privileged - flag: --allow-privileged
@ -29,8 +29,8 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: Ensure that the --anonymous-auth argument is set to false (Scored) text: Ensure that the --anonymous-auth argument is set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --anonymous-auth - flag: --anonymous-auth
@ -53,8 +53,8 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --authorization-mode - flag: --authorization-mode
@ -76,8 +76,8 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: Ensure that the --client-ca-file argument is set as appropriate (Scored) text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --client-ca-file - flag: --client-ca-file
@ -97,8 +97,8 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: Ensure that the --read-only-port argument is set to 0 (Scored) text: Ensure that the --read-only-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --read-only-port - flag: --read-only-port
@ -120,8 +120,8 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --streaming-connection-idle-timeout - flag: --streaming-connection-idle-timeout
@ -148,8 +148,8 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored) text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --protect-kernel-defaults - flag: --protect-kernel-defaults
@ -171,8 +171,8 @@ groups:
- id: 2.1.8 - id: 2.1.8
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored) text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --make-iptables-util-chains - flag: --make-iptables-util-chains
@ -198,8 +198,8 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: Ensure that the --hostname-override argument is not set (Scored) text: Ensure that the --hostname-override argument is not set (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --hostname-override - flag: --hostname-override
@ -216,8 +216,8 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: Ensure that the --event-qps argument is set to 0 (Scored) text: Ensure that the --event-qps argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --event-qps - flag: --event-qps
@ -239,8 +239,8 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cert-file - flag: --tls-cert-file
@ -266,8 +266,8 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: Ensure that the --cadvisor-port argument is set to 0 (Scored) text: Ensure that the --cadvisor-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --cadvisor-port - flag: --cadvisor-port
@ -291,8 +291,8 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: Ensure that the --rotate-certificates argument is not set to false (Scored) text: Ensure that the --rotate-certificates argument is not set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --rotate-certificates - flag: --rotate-certificates
@ -316,8 +316,8 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: RotateKubeletServerCertificate - flag: RotateKubeletServerCertificate
@ -337,8 +337,8 @@ groups:
- id: 2.1.15 - id: 2.1.15
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cipher-suites - flag: --tls-cipher-suites

112
cfg/1.13/master.yaml
View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 1.1.1 - id: 1.1.1
text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -26,7 +26,7 @@ groups:
- id: 1.1.2 - id: 1.1.2
text: "Ensure that the --basic-auth-file argument is not set (Scored)" text: "Ensure that the --basic-auth-file argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--basic-auth-file" - flag: "--basic-auth-file"
@ -40,7 +40,7 @@ groups:
- id: 1.1.3 - id: 1.1.3
text: "Ensure that the --insecure-allow-any-token argument is not set (Not Scored)" text: "Ensure that the --insecure-allow-any-token argument is not set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-allow-any-token" - flag: "--insecure-allow-any-token"
@ -53,7 +53,7 @@ groups:
- id: 1.1.4 - id: 1.1.4
text: "Ensure that the --kubelet-https argument is set to true (Scored)" text: "Ensure that the --kubelet-https argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -71,7 +71,7 @@ groups:
- id: 1.1.5 - id: 1.1.5
text: "Ensure that the --insecure-bind-address argument is not set (Scored)" text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-bind-address" - flag: "--insecure-bind-address"
@ -84,7 +84,7 @@ groups:
- id: 1.1.6 - id: 1.1.6
text: "Ensure that the --insecure-port argument is set to 0 (Scored)" text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--insecure-port" - flag: "--insecure-port"
@ -100,7 +100,7 @@ groups:
- id: 1.1.7 - id: 1.1.7
text: "Ensure that the --secure-port argument is not set to 0 (Scored)" text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -119,7 +119,7 @@ groups:
- id: 1.1.8 - id: 1.1.8
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -135,7 +135,7 @@ groups:
- id: 1.1.9 - id: 1.1.9
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)" text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--repair-malformed-updates" - flag: "--repair-malformed-updates"
@ -151,7 +151,7 @@ groups:
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)" text: "Ensure that the admission control plugin AlwaysAdmit is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -170,7 +170,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)" text: "Ensure that the admission control plugin AlwaysPullImages is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -187,7 +187,7 @@ groups:
- id: 1.1.12 - id: 1.1.12
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)" text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "skip" type: "skip"
tests: tests:
test_items: test_items:
@ -205,7 +205,7 @@ groups:
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control plugin SecurityContextDeny is set (Not Scored)" text: "Ensure that the admission control plugin SecurityContextDeny is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -222,7 +222,7 @@ groups:
- id: 1.1.14 - id: 1.1.14
text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)" text: "Ensure that the admission control plugin NamespaceLifecycle is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -242,7 +242,7 @@ groups:
- id: 1.1.15 - id: 1.1.15
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)" text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-path" - flag: "--audit-log-path"
@ -256,7 +256,7 @@ groups:
- id: 1.1.16 - id: 1.1.16
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxage" - flag: "--audit-log-maxage"
@ -272,7 +272,7 @@ groups:
- id: 1.1.17 - id: 1.1.17
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxbackup" - flag: "--audit-log-maxbackup"
@ -289,7 +289,7 @@ groups:
- id: 1.1.18 - id: 1.1.18
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)" text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-log-maxsize" - flag: "--audit-log-maxsize"
@ -306,7 +306,7 @@ groups:
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -323,7 +323,7 @@ groups:
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the --token-auth-file parameter is not set (Scored)" text: "Ensure that the --token-auth-file parameter is not set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--token-auth-file" - flag: "--token-auth-file"
@ -337,7 +337,7 @@ groups:
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)" text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--kubelet-certificate-authority" - flag: "--kubelet-certificate-authority"
@ -352,7 +352,7 @@ groups:
- id: 1.1.22 - id: 1.1.22
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)" text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -371,7 +371,7 @@ groups:
- id: 1.1.23 - id: 1.1.23
text: "Ensure that the --service-account-lookup argument is set to true (Scored)" text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -390,7 +390,7 @@ groups:
- id: 1.1.24 - id: 1.1.24
text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)" text: "Ensure that the admission control plugin PodSecurityPolicy is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -409,7 +409,7 @@ groups:
- id: 1.1.25 - id: 1.1.25
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)" text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--service-account-key-file" - flag: "--service-account-key-file"
@ -424,7 +424,7 @@ groups:
- id: 1.1.26 - id: 1.1.26
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate (Scored)" appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -443,7 +443,7 @@ groups:
- id: 1.1.27 - id: 1.1.27
text: "Ensure that the admission control plugin ServiceAccount is set(Scored)" text: "Ensure that the admission control plugin ServiceAccount is set(Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -465,7 +465,7 @@ groups:
- id: 1.1.28 - id: 1.1.28
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
as appropriate (Scored)" as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -484,7 +484,7 @@ groups:
- id: 1.1.29 - id: 1.1.29
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
@ -498,7 +498,7 @@ groups:
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: "--tls-cipher-suites"
@ -514,7 +514,7 @@ groups:
- id: 1.1.31 - id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)" text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--etcd-cafile" - flag: "--etcd-cafile"
@ -529,7 +529,7 @@ groups:
- id: 1.1.32 - id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)" text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -546,7 +546,7 @@ groups:
- id: 1.1.33 - id: 1.1.33
text: "Ensure that the admission control plugin NodeRestriction is set (Scored)" text: "Ensure that the admission control plugin NodeRestriction is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -564,7 +564,7 @@ groups:
- id: 1.1.34 - id: 1.1.34
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
tests: tests:
test_items: test_items:
@ -581,7 +581,7 @@ groups:
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)" text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -602,7 +602,7 @@ groups:
- id: 1.1.36 - id: 1.1.36
text: "Ensure that the admission control plugin EventRateLimit is set (Scored)" text: "Ensure that the admission control plugin EventRateLimit is set (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -620,7 +620,7 @@ groups:
- id: 1.1.37a - id: 1.1.37a
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -640,7 +640,7 @@ groups:
- id: 1.1.37b - id: 1.1.37b
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--audit-policy-file" - flag: "--audit-policy-file"
@ -657,7 +657,7 @@ groups:
- id: 1.1.38 - id: 1.1.38
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -673,7 +673,7 @@ groups:
- id: 1.1.39 - id: 1.1.39
text: "Ensure that the --authorization-mode argument includes RBAC (Scored)" text: "Ensure that the --authorization-mode argument includes RBAC (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -690,7 +690,7 @@ groups:
checks: checks:
- id: 1.2.1 - id: 1.2.1
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -706,7 +706,7 @@ groups:
- id: 1.2.2 - id: 1.2.2
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -728,7 +728,7 @@ groups:
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--terminated-pod-gc-threshold" - flag: "--terminated-pod-gc-threshold"
@ -741,7 +741,7 @@ groups:
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--profiling" - flag: "--profiling"
@ -757,7 +757,7 @@ groups:
- id: 1.3.3 - id: 1.3.3
text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)" text: "Ensure that the --use-service-account-credentials argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--use-service-account-credentials" - flag: "--use-service-account-credentials"
@ -773,7 +773,7 @@ groups:
- id: 1.3.4 - id: 1.3.4
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)" text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--service-account-private-key-file" - flag: "--service-account-private-key-file"
@ -787,7 +787,7 @@ groups:
- id: 1.3.5 - id: 1.3.5
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--root-ca-file" - flag: "--root-ca-file"
@ -801,7 +801,7 @@ groups:
- id: 1.3.6 - id: 1.3.6
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--feature-gates" - flag: "--feature-gates"
@ -818,7 +818,7 @@ groups:
- id: 1.3.7 - id: 1.3.7
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1270,7 +1270,7 @@ groups:
checks: checks:
- id: 1.5.1 - id: 1.5.1
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)" text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--cert-file" - flag: "--cert-file"
@ -1287,7 +1287,7 @@ groups:
- id: 1.5.2 - id: 1.5.2
text: "Ensure that the --client-cert-auth argument is set to true (Scored)" text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--client-cert-auth" - flag: "--client-cert-auth"
@ -1303,7 +1303,7 @@ groups:
- id: 1.5.3 - id: 1.5.3
text: "Ensure that the --auto-tls argument is not set to true (Scored)" text: "Ensure that the --auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1322,7 +1322,7 @@ groups:
- id: 1.5.4 - id: 1.5.4
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -1340,7 +1340,7 @@ groups:
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--peer-client-cert-auth" - flag: "--peer-client-cert-auth"
@ -1356,7 +1356,7 @@ groups:
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1375,7 +1375,7 @@ groups:
- id: 1.5.7 - id: 1.5.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "/bin/ps -ef | grep $etcdbin | grep -v grep"
type: "manual" type: "manual"
tests: tests:
test_items: test_items:

52
cfg/1.13/node.yaml
View File

@ -10,8 +10,8 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: Ensure that the --anonymous-auth argument is set to false (Scored) text: Ensure that the --anonymous-auth argument is set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -34,8 +34,8 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) text: Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --authorization-mode - flag: --authorization-mode
@ -57,8 +57,8 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: Ensure that the --client-ca-file argument is set as appropriate (Scored) text: Ensure that the --client-ca-file argument is set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --client-ca-file - flag: --client-ca-file
@ -78,8 +78,8 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: Ensure that the --read-only-port argument is set to 0 (Scored) text: Ensure that the --read-only-port argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
@ -101,8 +101,8 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) text: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --streaming-connection-idle-timeout - flag: --streaming-connection-idle-timeout
@ -129,8 +129,8 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: Ensure that the --protect-kernel-defaults argument is set to true (Scored) text: Ensure that the --protect-kernel-defaults argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --protect-kernel-defaults - flag: --protect-kernel-defaults
@ -152,8 +152,8 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: Ensure that the --make-iptables-util-chains argument is set to true (Scored) text: Ensure that the --make-iptables-util-chains argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --make-iptables-util-chains - flag: --make-iptables-util-chains
@ -182,7 +182,7 @@ groups:
# This is one of those properties that can only be set as a command line argument. # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
- flag: --hostname-override - flag: --hostname-override
@ -198,8 +198,8 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: Ensure that the --event-qps argument is set to 0 (Scored) text: Ensure that the --event-qps argument is set to 0 (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --event-qps - flag: --event-qps
@ -221,8 +221,8 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) text: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cert-file - flag: --tls-cert-file
@ -251,7 +251,7 @@ groups:
# This is one of those properties that can only be set as a command line argument. # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
audit: "ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
type: skip type: skip
tests: tests:
test_items: test_items:
@ -274,8 +274,8 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: Ensure that the --rotate-certificates argument is not set to false (Scored) text: Ensure that the --rotate-certificates argument is not set to false (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --rotate-certificates - flag: --rotate-certificates
@ -299,8 +299,8 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) text: Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: RotateKubeletServerCertificate - flag: RotateKubeletServerCertificate
@ -320,8 +320,8 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) text: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
audit: "ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:
test_items: test_items:
- flag: --tls-cipher-suites - flag: --tls-cipher-suites

2
cmd/util.go
View File

@ -78,7 +78,7 @@ func cleanIDs(list string) map[string]bool {
func ps(proc string) string { func ps(proc string) string {
// TODO: truncate proc to 15 chars // TODO: truncate proc to 15 chars
// See https://github.com/aquasecurity/kube-bench/issues/328#issuecomment-506813344 // See https://github.com/aquasecurity/kube-bench/issues/328#issuecomment-506813344
cmd := exec.Command("ps", "-C", proc, "-o", "cmd", "--no-headers") cmd := exec.Command("/bin/ps", "-C", proc, "-o", "cmd", "--no-headers")
out, err := cmd.Output() out, err := cmd.Output()
if err != nil { if err != nil {
continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "") continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "")