arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-20 05:38:13 +00:00
Code Issues Releases Wiki Activity

fixes-according-kube-cis1.4.1 (#376)

Browse Source 
* Update master.yaml

* Update node.yaml

Fix 2.1.11 - got DEPRECATED
2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367

* Update master.yaml

* Update node.yaml

change 2.1.11 Title, and state to not scored
This commit is contained in:
yoavrotems 2019-08-06 13:19:29 +00:00 committed by Liz Rice
parent 0422368615
commit 22b971a633
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
cfg/1.13/master.yaml
View File

@ -186,8 +186,9 @@ groups:
scored: true scored: true
- id: 1.1.12 - id: 1.1.12
text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)" text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: skip
tests: tests:
test_items: test_items:
- flag: "--enable-admission-plugins" - flag: "--enable-admission-plugins"
@ -200,7 +201,7 @@ groups:
on the master node and set the --enable-admission-plugins parameter to a on the master node and set the --enable-admission-plugins parameter to a
value that includes DenyEscalatingExec. value that includes DenyEscalatingExec.
--enable-admission-plugins=...,DenyEscalatingExec,... --enable-admission-plugins=...,DenyEscalatingExec,...
scored: true scored: false
- id: 1.1.13 - id: 1.1.13
text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)" text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
@ -559,19 +560,19 @@ groups:
scored: true scored: true
- id: 1.1.34 - id: 1.1.34
text: "Ensure that the --experimental-encryption-provider-config argument is text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
tests: tests:
test_items: test_items:
- flag: "--experimental-encryption-provider-config" - flag: "--encryption-provider-config"
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file. Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf on the Then, edit the API server pod specification file $apiserverconf on the
master node and set the --experimental-encryption-provider-config parameter master node and set the --encryption-provider-config parameter
to the path of that file: to the path of that file:
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File> --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: true scored: true
- id: 1.1.35 - id: 1.1.35

5
cfg/1.13/node.yaml
View File

@ -220,8 +220,9 @@ groups:
scored: true scored: true
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
audit: "ps -fC $kubeletbin" audit: "ps -fC $kubeletbin"
type: skip
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -239,7 +240,7 @@ groups:
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: false
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"