arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-06-06 16:18:51 +00:00
Code Issues Releases Wiki Activity

fix: required fixes for rke-cis 1.7 / 1.28 / 1.29 (#1792)

Browse Source
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2025-02-04 12:19:05 +00:00 committed by GitHub
parent c04b700d8a
commit 26aaeecc0f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 9 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cfg/rke-cis-1.23/master.yaml
View File

@ -152,7 +152,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: stat -c %a /node/var/lib/etcd audit: stat -c %a /var/lib/etcd
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -959,15 +959,11 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true
- flag: "--bind-address"
set: false
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter
@ -996,15 +992,11 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true
- flag: "--bind-address"
set: false
remediation: | remediation: |
Edit the Scheduler pod specification file $schedulerconf Edit the Scheduler pod specification file $schedulerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter

8
cfg/rke-cis-1.24/master.yaml
View File

@ -155,7 +155,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: stat -c %a /node/var/lib/etcd audit: stat -c %a /var/lib/etcd
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -962,15 +962,12 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "--bind-address"
set: false
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter
@ -999,15 +996,12 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "--bind-address"
set: false
remediation: | remediation: |
Edit the Scheduler pod specification file $schedulerconf Edit the Scheduler pod specification file $schedulerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter

4
cfg/rke-cis-1.24/node.yaml
View File

@ -319,7 +319,7 @@ groups:
# This is one of those properties that can only be set as a command line argument. # This is one of those properties that can only be set as a command line argument.
# To check if the property is set as expected, we need to parse the kubelet command # To check if the property is set as expected, we need to parse the kubelet command
# instead reading the Kubelet Configuration file. # instead reading the Kubelet Configuration file.
type: "manual" type: "skip"
audit: "/bin/ps -fC $kubeletbin " audit: "/bin/ps -fC $kubeletbin "
tests: tests:
test_items: test_items:
@ -410,7 +410,7 @@ groups:
- id: 4.2.12 - id: 4.2.12
text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)" text: "Verify that the RotateKubeletServerCertificate argument is set to true (Manual)"
type: "manual" type: "skip"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests: tests:

10
cfg/rke-cis-1.7/master.yaml
View File

@ -171,7 +171,7 @@ groups:
- id: 1.1.11 - id: 1.1.11
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)" text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated)"
audit: stat -c %a /node/var/lib/etcd audit: stat -c %a /var/lib/etcd
tests: tests:
test_items: test_items:
- flag: "700" - flag: "700"
@ -949,14 +949,12 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
- flag: "--bind-address" set: true
set: false
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter
@ -984,14 +982,12 @@ groups:
text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)" text: "Ensure that the --bind-address argument is set to 127.0.0.1 (Automated)"
audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep" audit: "/bin/ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--bind-address" - flag: "--bind-address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
- flag: "--bind-address" set: true
set: false
remediation: | remediation: |
Edit the Scheduler pod specification file $schedulerconf Edit the Scheduler pod specification file $schedulerconf
on the control plane node and ensure the correct value for the --bind-address parameter on the control plane node and ensure the correct value for the --bind-address parameter

2
cfg/rke-cis-1.7/node.yaml
View File

@ -322,6 +322,7 @@ groups:
- id: 4.2.8 - id: 4.2.8
text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)" text: "Ensure that the eventRecordQPS argument is set to a level which ensures appropriate event capture (Manual)"
type: "skip"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests: tests:
@ -426,6 +427,7 @@ groups:
- id: 4.2.12 - id: 4.2.12
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated)"
type: "skip"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' " audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
tests: tests: