mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 22:58:07 +00:00
Merge branch 'master' into multiple-words
This commit is contained in:
commit
20e7f0a433
@ -599,12 +599,23 @@ groups:
|
|||||||
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||||
\nFor example, chmod 644 $apiserverconf"
|
\nFor example, chmod 644 $apiserverconf"
|
||||||
scored: true
|
scored: true
|
||||||
@ -627,12 +638,23 @@ groups:
|
|||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||||
\nFor example, chmod 644 $config"
|
\nFor example, chmod 644 $config"
|
||||||
scored: true
|
scored: true
|
||||||
@ -655,12 +677,23 @@ groups:
|
|||||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||||
\nFor example, chmod 644 $schedulerconf"
|
\nFor example, chmod 644 $schedulerconf"
|
||||||
scored: true
|
scored: true
|
||||||
@ -683,12 +716,23 @@ groups:
|
|||||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||||
\nFor example, chmod 644 $etcdconf"
|
\nFor example, chmod 644 $etcdconf"
|
||||||
scored: true
|
scored: true
|
||||||
@ -711,12 +755,23 @@ groups:
|
|||||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: "644"
|
value: "644"
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the master node.
|
remediation: "Run the below command (based on the file location on your system) on the master node.
|
||||||
\nFor example, chmod 644 $flanneldconf"
|
\nFor example, chmod 644 $flanneldconf"
|
||||||
scored: true
|
scored: true
|
||||||
|
@ -223,8 +223,22 @@ groups:
|
|||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||||
\nFor example, chmod 644 $config"
|
\nFor example, chmod 644 $config"
|
||||||
@ -248,12 +262,23 @@ groups:
|
|||||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
compare:
|
compare:
|
||||||
op: eq
|
op: eq
|
||||||
value: 644
|
value: 644
|
||||||
set: true
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||||
\nFor example, chmod 644 $kubeletconf"
|
\nFor example, chmod 644 $kubeletconf"
|
||||||
scored: true
|
scored: true
|
||||||
@ -273,8 +298,22 @@ groups:
|
|||||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
remediation: "Run the below command (based on the file location on your system) on the each worker node.
|
||||||
\nFor example, chmod 644 $proxyconf"
|
\nFor example, chmod 644 $proxyconf"
|
||||||
@ -296,8 +335,22 @@ groups:
|
|||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
||||||
tests:
|
tests:
|
||||||
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "644"
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
set: true
|
set: true
|
||||||
remediation: "Run the following command to modify the file permissions of the --client-ca-file
|
remediation: "Run the following command to modify the file permissions of the --client-ca-file
|
||||||
\nchmod 644 <filename>"
|
\nchmod 644 <filename>"
|
||||||
|
Loading…
Reference in New Issue
Block a user