From 22b971a633ff3045e1163c222161bc65183ec619 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 6 Aug 2019 13:19:29 +0000 Subject: [PATCH] fixes-according-kube-cis1.4.1 (#376) * Update master.yaml * Update node.yaml Fix 2.1.11 - got DEPRECATED 2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367 * Update master.yaml * Update node.yaml change 2.1.11 Title, and state to not scored --- cfg/1.13/master.yaml | 15 ++++++++------- cfg/1.13/node.yaml | 5 +++-- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/cfg/1.13/master.yaml b/cfg/1.13/master.yaml index ea7b974..13ee16e 100644 --- a/cfg/1.13/master.yaml +++ b/cfg/1.13/master.yaml @@ -186,8 +186,9 @@ groups: scored: true - id: 1.1.12 - text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)" + text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" + type: skip tests: test_items: - flag: "--enable-admission-plugins" @@ -200,7 +201,7 @@ groups: on the master node and set the --enable-admission-plugins parameter to a value that includes DenyEscalatingExec. --enable-admission-plugins=...,DenyEscalatingExec,... - scored: true + scored: false - id: 1.1.13 text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)" @@ -559,19 +560,19 @@ groups: scored: true - id: 1.1.34 - text: "Ensure that the --experimental-encryption-provider-config argument is - set as appropriate (Scored)" + text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" audit: "ps -ef | grep $apiserverbin | grep -v grep" + type: "manual" tests: test_items: - - flag: "--experimental-encryption-provider-config" + - flag: "--encryption-provider-config" set: true remediation: | Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file $apiserverconf on the - master node and set the --experimental-encryption-provider-config parameter + master node and set the --encryption-provider-config parameter to the path of that file: - --experimental-encryption-provider-config= + --encryption-provider-config= scored: true - id: 1.1.35 diff --git a/cfg/1.13/node.yaml b/cfg/1.13/node.yaml index 8cc7b3f..afc1657 100644 --- a/cfg/1.13/node.yaml +++ b/cfg/1.13/node.yaml @@ -220,8 +220,9 @@ groups: scored: true - id: 2.1.11 - text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" + text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)" audit: "ps -fC $kubeletbin" + type: skip tests: bin_op: or test_items: @@ -239,7 +240,7 @@ groups: Based on your system, restart the kubelet service. For example: systemctl daemon-reload systemctl restart kubelet.service - scored: true + scored: false - id: 2.1.12 text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"