arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 15:48:06 +00:00
Code Issues Releases Wiki Activity

Support CIS v1.5.1 (#673)

Browse Source
This commit is contained in:
Huang Huang 2020-08-13 02:57:51 +08:00 committed by GitHub
parent 07f3c40dc7
commit 2d548597ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -58,7 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B
|---|---|---|
| [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 |
| [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
| [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- |
| [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- |
| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |

20
cfg/cis-1.5/master.yaml
View File

@ -303,7 +303,7 @@ groups:
scored: true
- id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)"
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
@ -317,10 +317,10 @@ groups:
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true
scored: false
- id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)"
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)"
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true
tests:
@ -334,7 +334,7 @@ groups:
Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
scored: true
scored: false
- id: 1.2
text: "API Server"
@ -880,7 +880,7 @@ groups:
scored: true
- id: 1.2.33
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)"
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
@ -890,16 +890,16 @@ groups:
Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: true
scored: false
- id: 1.2.34
text: "Ensure that encryption providers are appropriately configured (Scored)"
text: "Ensure that encryption providers are appropriately configured (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual"
remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider.
scored: true
scored: false
- id: 1.2.35
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
@ -921,7 +921,7 @@ groups:
text: "Controller Manager"
checks:
- id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests:
test_items:
@ -932,7 +932,7 @@ groups:
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example:
--terminated-pod-gc-threshold=10
scored: true
scored: false
- id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)"

2
cfg/cis-1.5/node.yaml
View File

@ -164,7 +164,7 @@ groups:
text: "Kubelet"
checks:
- id: 4.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
text: "Ensure that the anonymous-auth argument is set to false (Scored)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:

10
cfg/cis-1.5/policies.yaml
View File

@ -184,10 +184,10 @@ groups:
Follow the Kubernetes documentation and setup image provenance.
scored: false
- id: 5.6
- id: 5.7
text: "General Policies"
checks:
- id: 5.6.1
- id: 5.7.1
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: |
@ -195,7 +195,7 @@ groups:
them.
scored: false
- id: 5.6.2
- id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: |
@ -221,7 +221,7 @@ groups:
image: sotrustworthy:latest
scored: false
- id: 5.6.3
- id: 5.7.3
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: |
@ -230,7 +230,7 @@ groups:
Containers.
scored: false
- id: 5.6.4
- id: 5.7.4
text: "The default namespace should not be used (Scored)"
type: "manual"
remediation: |

14
integration/testdata/cis-1.5/job-master.data vendored
View File

@ -19,8 +19,8 @@
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
[INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -54,11 +54,11 @@
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored)
[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 1.3 Controller Manager
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
@ -171,6 +171,6 @@ on the master node and set the below parameter.
== Summary ==
44 checks PASS
13 checks FAIL
8 checks WARN
11 checks FAIL
10 checks WARN
0 checks INFO

2
integration/testdata/cis-1.5/job-node.data vendored
View File

@ -11,7 +11,7 @@
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[INFO] 4.2 Kubelet
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)

34
integration/testdata/cis-1.5/job.data vendored
View File

@ -19,8 +19,8 @@
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
[INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -54,11 +54,11 @@
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored)
[WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 1.3 Controller Manager
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)
[WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
@ -171,8 +171,8 @@ on the master node and set the below parameter.
== Summary ==
44 checks PASS
13 checks FAIL
8 checks WARN
11 checks FAIL
10 checks WARN
0 checks INFO
[INFO] 2 Etcd Node Configuration
[INFO] 2 Etcd Node Configuration Files
@ -224,7 +224,7 @@ minimum.
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[INFO] 4.2 Kubelet
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored)
[PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
@ -314,11 +314,11 @@ systemctl restart kubelet.service
[WARN] 5.4.2 Consider external secret storage (Not Scored)
[INFO] 5.5 Extensible Admission Control
[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)
[INFO] 5.6 General Policies
[WARN] 5.6.1 Create administrative boundaries between resources using namespaces (Not Scored)
[WARN] 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
[WARN] 5.6.3 Apply Security Context to Your Pods and Containers (Not Scored)
[WARN] 5.6.4 The default namespace should not be used (Scored)
[INFO] 5.7 General Policies
[WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Not Scored)
[WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
[WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Not Scored)
[WARN] 5.7.4 The default namespace should not be used (Scored)
== Remediations ==
5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
@ -385,10 +385,10 @@ secrets management solution.
5.5.1 Follow the Kubernetes documentation and setup image provenance.
5.6.1 Follow the documentation and create namespaces for objects in your deployment as you need
5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need
them.
5.6.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
@ -409,11 +409,11 @@ spec:
- name: trustworthy-container
image: sotrustworthy:latest
5.6.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers.
5.6.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.