mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 07:28:06 +00:00
fixes-according-kube-cis1.4.1 (#376)
* Update master.yaml * Update node.yaml Fix 2.1.11 - got DEPRECATED 2.1.14 changed to be a set of options, would be fixed by https://github.com/aquasecurity/kube-bench/pull/367 * Update master.yaml * Update node.yaml change 2.1.11 Title, and state to not scored
This commit is contained in:
parent
0422368615
commit
22b971a633
@ -186,8 +186,9 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.12
|
- id: 1.1.12
|
||||||
text: "Ensure that the admission control plugin DenyEscalatingExec is set (Scored)"
|
text: "[DEPRECATED] Ensure that the admission control plugin DenyEscalatingExec is set (Not Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
|
type: skip
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--enable-admission-plugins"
|
- flag: "--enable-admission-plugins"
|
||||||
@ -200,7 +201,7 @@ groups:
|
|||||||
on the master node and set the --enable-admission-plugins parameter to a
|
on the master node and set the --enable-admission-plugins parameter to a
|
||||||
value that includes DenyEscalatingExec.
|
value that includes DenyEscalatingExec.
|
||||||
--enable-admission-plugins=...,DenyEscalatingExec,...
|
--enable-admission-plugins=...,DenyEscalatingExec,...
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 1.1.13
|
- id: 1.1.13
|
||||||
text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
|
text: "Ensure that the admission control plugin SecurityContextDeny is set (Scored)"
|
||||||
@ -559,19 +560,19 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.34
|
- id: 1.1.34
|
||||||
text: "Ensure that the --experimental-encryption-provider-config argument is
|
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
|
||||||
set as appropriate (Scored)"
|
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
|
type: "manual"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--experimental-encryption-provider-config"
|
- flag: "--encryption-provider-config"
|
||||||
set: true
|
set: true
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
Follow the Kubernetes documentation and configure a EncryptionConfig file.
|
||||||
Then, edit the API server pod specification file $apiserverconf on the
|
Then, edit the API server pod specification file $apiserverconf on the
|
||||||
master node and set the --experimental-encryption-provider-config parameter
|
master node and set the --encryption-provider-config parameter
|
||||||
to the path of that file:
|
to the path of that file:
|
||||||
--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>
|
--encryption-provider-config=</path/to/EncryptionConfig/File>
|
||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.35
|
- id: 1.1.35
|
||||||
|
@ -220,8 +220,9 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
text: "[DEPRECATED] Ensure that the --cadvisor-port argument is set to 0 (Not Scored)"
|
||||||
audit: "ps -fC $kubeletbin"
|
audit: "ps -fC $kubeletbin"
|
||||||
|
type: skip
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
test_items:
|
test_items:
|
||||||
@ -239,7 +240,7 @@ groups:
|
|||||||
Based on your system, restart the kubelet service. For example:
|
Based on your system, restart the kubelet service. For example:
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl restart kubelet.service
|
systemctl restart kubelet.service
|
||||||
scored: true
|
scored: false
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
|
||||||
|
Loading…
Reference in New Issue
Block a user