1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00

Merge pull request #94 from jaxxstorm/test_updates

Test fixes for 1.8
This commit is contained in:
Liz Rice 2018-01-30 19:58:12 +00:00 committed by GitHub
commit 1f52a13400
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -628,7 +628,7 @@ groups:
set: true set: true
remediation: | remediation: |
Remediation: Remediation:
Edit the Scheduler pod specification file $apiserverconf Edit the Scheduler pod specification file $schedulerconf
file on the master node and set the below parameter. file on the master node and set the below parameter.
--profiling=false --profiling=false
scored: true scored: true
@ -644,7 +644,7 @@ groups:
- flag: "--terminated-pod-gc-threshold" - flag: "--terminated-pod-gc-threshold"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
--terminated-pod-gc-threshold=10 --terminated-pod-gc-threshold=10
scored: true scored: true
@ -978,12 +978,23 @@ groups:
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'" audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
@ -1009,14 +1020,25 @@ groups:
- id: 1.4.15 - id: 1.4.15
text: "Ensure that the scheduler.conf file permissions are set to 644 or text: "Ensure that the scheduler.conf file permissions are set to 644 or
more restrictive (Scored)" more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
@ -1042,14 +1064,25 @@ groups:
- id: 1.4.17 - id: 1.4.17
text: "Ensure that the controller-manager.conf file permissions are set text: "Ensure that the controller-manager.conf file permissions are set
to 644 or more restrictive (Scored)" to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $controllermanagerconf then stat -c %a $controllermanagerconf; fi'" audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,