fixes-according-kube-cis1.4.1 (#376)

* Update master.yaml * Update node.yaml Fix 2.1.11 - got DEPRECATED 2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367 * Update master.yaml * Update node.yaml change 2.1.11 Title, and state to not scored
5 years ago · 22b971a633
parent 0422368615
commit 22b971a633
2 changed files with 11 additions and 9 deletions
--- a/cfg/1.13/master.yaml
+++ b/cfg/1.13/master.yaml
@ -186,8 +186,9 @@ groups:
    scored: true

  - id: 1.1.12
-    text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
+    text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
+    type: skip
    tests:
      test_items:
      - flag: "--enable-admission-plugins"
@ -200,7 +201,7 @@ groups:
      on the master node and set the --enable-admission-plugins parameter to a
      value that includes DenyEscalatingExec.
      --enable-admission-plugins=...,DenyEscalatingExec,...
-    scored: true
+    scored: false

  - id: 1.1.13
    text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
@ -559,19 +560,19 @@ groups:
    scored: true

  - id: 1.1.34
-    text: "Ensure that the --experimental-encryption-provider-config argument is
-    set as appropriate (Scored)"
+    text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
    audit: "ps -ef | grep $apiserverbin | grep -v grep"
+    type: "manual"
    tests:
      test_items:
-      - flag: "--experimental-encryption-provider-config"
+      - flag: "--encryption-provider-config"
        set: true
    remediation: |
      Follow the Kubernetes documentation and configure a EncryptionConfig file.
      Then, edit the API server pod specification file $apiserverconf on the
-      master node and set the --experimental-encryption-provider-config parameter
+      master node and set the --encryption-provider-config parameter
      to the path of that file:
-      --experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
+      --encryption-provider-config=</path/to/EncryptionConfig/File>
    scored: true

  - id: 1.1.35
--- a/cfg/1.13/node.yaml
+++ b/cfg/1.13/node.yaml
@ -220,8 +220,9 @@ groups:
    scored: true

  - id: 2.1.11
-    text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
+    text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
    audit: "ps -fC $kubeletbin"
+    type: skip
    tests:
      bin_op: or
      test_items:
@ -239,7 +240,7 @@ groups:
      Based on your system, restart the kubelet service. For example:
      systemctl daemon-reload
      systemctl restart kubelet.service
-    scored: true
+    scored: false

  - id: 2.1.12
    text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"