arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-05-06 17:09:23 +00:00
Code Issues Releases Wiki Activity

Added test 1.4.11 (#8)

Browse Source
This commit is contained in:
jerbia 2017-06-21 22:45:50 +03:00 committed by GitHub
parent d3bbf2698e
commit 432651e85f
3 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -58,8 +58,12 @@ groups:
text: "Ensure that the --allow-privileged argument is set (Scored)" text: "Ensure that the --allow-privileged argument is set (Scored)"
audit: "ps -ef | grep kube-apiserver | grep -v grep" audit: "ps -ef | grep kube-apiserver | grep -v grep"
tests: tests:
bin_op: or
test_items:
- flag: "--allow-privileged" - flag: "--allow-privileged"
set: true set: true
- flag: "--some-other-flag"
set: false
remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
scored: true scored: true
``` ```

25
cfg/master.yaml
View File

@ -642,16 +642,21 @@ groups:
\nFor example, chown root:root /etc/sysconfig/flanneld" \nFor example, chown root:root /etc/sysconfig/flanneld"
scored: true scored: true
# TODO: Resolve issue get pipeline to work. - id: 1.4.11
# - id: 1.4.11 text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
# - text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)" # audit: ps -ef | grep etcd | grep -v grep | sed 's,.*--data-dir=\(.*\)\s*.*,\1,' | xargs stat -c %a
# - audit: "ps -ef | grep etcd | grep -v grep | sed 's,.*--data-dir=\\(.*\\)\\s.*,\\1,' | xargs stat -c %a" audit: "ps -ef | grep etcd | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %a"
# - tests: # audit: xargs stat -c %a /etc/etcd
# - test_items: tests:
# - - flag: "700" test_items:
# - set: true - flag: "700"
# - remediation: "" set: true
# - scored: true remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
ps -ef | grep etcd\n
Run the below command (based on the etcd data directory found above). For example,\n
chmod 700 /var/lib/etcd/default.etcd"
scored: true
- id: 1.5 - id: 1.5
text: "etcd" text: "etcd"

2
cmd/root.go
View File

@ -58,7 +58,7 @@ func Execute() {
func init() { func init() {
cobra.OnInitialize(initConfig) cobra.OnInitialize(initConfig)
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Output results as JSON") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
RootCmd.PersistentFlags().StringVarP(&checkList, RootCmd.PersistentFlags().StringVarP(&checkList,
"check", "check",
"c", "c",