1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 22:58:07 +00:00

Merge branch 'master' into multiple-words

This commit is contained in:
Liz Rice 2017-08-15 18:40:10 +01:00
commit 20e7f0a433
2 changed files with 108 additions and 0 deletions

View File

@ -599,12 +599,23 @@ groups:
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $apiserverconf" \nFor example, chmod 644 $apiserverconf"
scored: true scored: true
@ -627,12 +638,23 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $config"
scored: true scored: true
@ -655,12 +677,23 @@ groups:
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $schedulerconf" \nFor example, chmod 644 $schedulerconf"
scored: true scored: true
@ -683,12 +716,23 @@ groups:
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $etcdconf" \nFor example, chmod 644 $etcdconf"
scored: true scored: true
@ -711,12 +755,23 @@ groups:
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $flanneldconf" \nFor example, chmod 644 $flanneldconf"
scored: true scored: true

View File

@ -223,8 +223,22 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $config"
@ -248,12 +262,23 @@ groups:
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: 644 value: 644
set: true set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $kubeletconf" \nFor example, chmod 644 $kubeletconf"
scored: true scored: true
@ -273,8 +298,22 @@ groups:
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $proxyconf" \nFor example, chmod 644 $proxyconf"
@ -296,8 +335,22 @@ groups:
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the following command to modify the file permissions of the --client-ca-file remediation: "Run the following command to modify the file permissions of the --client-ca-file
\nchmod 644 <filename>" \nchmod 644 <filename>"