arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

Support CIS v1.5.1 (#673)

Browse Source
This commit is contained in:
Huang Huang 2020-08-13 02:57:51 +08:00 committed by GitHub
parent 07f3c40dc7
commit 2d548597ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -58,7 +58,7 @@ kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes B
|---|---|---| |---|---|---|
| [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 | | [1.3.0](https://workbench.cisecurity.org/benchmarks/602) | cis-1.3 | 1.11-1.12 |
| [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 | | [1.4.1](https://workbench.cisecurity.org/benchmarks/2351) | cis-1.4 | 1.13-1.14 |
| [1.5.0](https://workbench.cisecurity.org/benchmarks/1370) | cis-1.5 | 1.15- | | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- |
| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE |
| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS |
| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | | Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 |

20
cfg/cis-1.5/master.yaml
View File

@ -303,7 +303,7 @@ groups:
scored: true scored: true
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)"
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a" audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
use_multiple_values: true use_multiple_values: true
tests: tests:
@ -317,10 +317,10 @@ groups:
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod -R 644 /etc/kubernetes/pki/*.crt chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true scored: false
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)" text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)"
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a" audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
use_multiple_values: true use_multiple_values: true
tests: tests:
@ -334,7 +334,7 @@ groups:
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
chmod -R 600 /etc/kubernetes/pki/*.key chmod -R 600 /etc/kubernetes/pki/*.key
scored: true scored: false
- id: 1.2 - id: 1.2
text: "API Server" text: "API Server"
@ -880,7 +880,7 @@ groups:
scored: true scored: true
- id: 1.2.33 - id: 1.2.33
text: "Ensure that the --encryption-provider-config argument is set as appropriate (Scored)" text: "Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -890,16 +890,16 @@ groups:
Follow the Kubernetes documentation and configure a EncryptionConfig file. Follow the Kubernetes documentation and configure a EncryptionConfig file.
Then, edit the API server pod specification file $apiserverconf Then, edit the API server pod specification file $apiserverconf
on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File> on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config=</path/to/EncryptionConfig/File>
scored: true scored: false
- id: 1.2.34 - id: 1.2.34
text: "Ensure that encryption providers are appropriately configured (Scored)" text: "Ensure that encryption providers are appropriately configured (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and configure a EncryptionConfig file. Follow the Kubernetes documentation and configure a EncryptionConfig file.
In this file, choose aescbc, kms or secretbox as the encryption provider. In this file, choose aescbc, kms or secretbox as the encryption provider.
scored: true scored: false
- id: 1.2.35 - id: 1.2.35
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
@ -921,7 +921,7 @@ groups:
text: "Controller Manager" text: "Controller Manager"
checks: checks:
- id: 1.3.1 - id: 1.3.1
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)" text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)"
audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep" audit: "/bin/ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
@ -932,7 +932,7 @@ groups:
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold,
for example: for example:
--terminated-pod-gc-threshold=10 --terminated-pod-gc-threshold=10
scored: true scored: false
- id: 1.3.2 - id: 1.3.2
text: "Ensure that the --profiling argument is set to false (Scored)" text: "Ensure that the --profiling argument is set to false (Scored)"

2
cfg/cis-1.5/node.yaml
View File

@ -164,7 +164,7 @@ groups:
text: "Kubelet" text: "Kubelet"
checks: checks:
- id: 4.2.1 - id: 4.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the anonymous-auth argument is set to false (Scored)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf" audit_config: "/bin/cat $kubeletconf"
tests: tests:

10
cfg/cis-1.5/policies.yaml
View File

@ -184,10 +184,10 @@ groups:
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
- id: 5.6 - id: 5.7
text: "General Policies" text: "General Policies"
checks: checks:
- id: 5.6.1 - id: 5.7.1
text: "Create administrative boundaries between resources using namespaces (Not Scored)" text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
@ -195,7 +195,7 @@ groups:
them. them.
scored: false scored: false
- id: 5.6.2 - id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)" text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
@ -221,7 +221,7 @@ groups:
image: sotrustworthy:latest image: sotrustworthy:latest
scored: false scored: false
- id: 5.6.3 - id: 5.7.3
text: "Apply Security Context to Your Pods and Containers (Not Scored)" text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
@ -230,7 +230,7 @@ groups:
Containers. Containers.
scored: false scored: false
- id: 5.6.4 - id: 5.7.4
text: "The default namespace should not be used (Scored)" text: "The default namespace should not be used (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |

14
integration/testdata/cis-1.5/job-master.data vendored
View File

@ -19,8 +19,8 @@
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
[INFO] 1.2 API Server [INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -54,11 +54,11 @@
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) [WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored) [WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 1.3 Controller Manager [INFO] 1.3 Controller Manager
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) [WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored) [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
@ -171,6 +171,6 @@ on the master node and set the below parameter.
== Summary == == Summary ==
44 checks PASS 44 checks PASS
13 checks FAIL 11 checks FAIL
8 checks WARN 10 checks WARN
0 checks INFO 0 checks INFO

2
integration/testdata/cis-1.5/job-node.data vendored
View File

@ -11,7 +11,7 @@
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[INFO] 4.2 Kubelet [INFO] 4.2 Kubelet
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored) [PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) [PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored) [PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)

34
integration/testdata/cis-1.5/job.data vendored
View File

@ -19,8 +19,8 @@
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored)
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored)
[INFO] 1.2 API Server [INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -54,11 +54,11 @@
[PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [PASS] 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [PASS] 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) [WARN] 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored)
[WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Scored) [WARN] 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)
[WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [WARN] 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[INFO] 1.3 Controller Manager [INFO] 1.3 Controller Manager
[FAIL] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) [WARN] 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored)
[FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored) [FAIL] 1.3.2 Ensure that the --profiling argument is set to false (Scored)
[PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored) [PASS] 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Scored)
[PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored) [PASS] 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)
@ -171,8 +171,8 @@ on the master node and set the below parameter.
== Summary == == Summary ==
44 checks PASS 44 checks PASS
13 checks FAIL 11 checks FAIL
8 checks WARN 10 checks WARN
0 checks INFO 0 checks INFO
[INFO] 2 Etcd Node Configuration [INFO] 2 Etcd Node Configuration
[INFO] 2 Etcd Node Configuration Files [INFO] 2 Etcd Node Configuration Files
@ -224,7 +224,7 @@ minimum.
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[INFO] 4.2 Kubelet [INFO] 4.2 Kubelet
[PASS] 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored) [PASS] 4.2.1 Ensure that the anonymous-auth argument is set to false (Scored)
[PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) [PASS] 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)
[PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored) [PASS] 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored) [PASS] 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored)
@ -314,11 +314,11 @@ systemctl restart kubelet.service
[WARN] 5.4.2 Consider external secret storage (Not Scored) [WARN] 5.4.2 Consider external secret storage (Not Scored)
[INFO] 5.5 Extensible Admission Control [INFO] 5.5 Extensible Admission Control
[WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored) [WARN] 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)
[INFO] 5.6 General Policies [INFO] 5.7 General Policies
[WARN] 5.6.1 Create administrative boundaries between resources using namespaces (Not Scored) [WARN] 5.7.1 Create administrative boundaries between resources using namespaces (Not Scored)
[WARN] 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) [WARN] 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)
[WARN] 5.6.3 Apply Security Context to Your Pods and Containers (Not Scored) [WARN] 5.7.3 Apply Security Context to Your Pods and Containers (Not Scored)
[WARN] 5.6.4 The default namespace should not be used (Scored) [WARN] 5.7.4 The default namespace should not be used (Scored)
== Remediations == == Remediations ==
5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and 5.1.1 Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
@ -385,10 +385,10 @@ secrets management solution.
5.5.1 Follow the Kubernetes documentation and setup image provenance. 5.5.1 Follow the Kubernetes documentation and setup image provenance.
5.6.1 Follow the documentation and create namespaces for objects in your deployment as you need 5.7.1 Follow the documentation and create namespaces for objects in your deployment as you need
them. them.
5.6.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you 5.7.2 Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing "--feature- would need to enable alpha features in the apiserver by passing "--feature-
gates=AllAlpha=true" argument. gates=AllAlpha=true" argument.
Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
@ -409,11 +409,11 @@ spec:
- name: trustworthy-container - name: trustworthy-container
image: sotrustworthy:latest image: sotrustworthy:latest
5.6.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a 5.7.3 Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
5.6.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes 5.7.4 Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace. resources and that all new resources are created in a specific namespace.