arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 15:48:06 +00:00
Code Issues Releases Wiki Activity

fix mismatching checks, tests (#544)

Browse Source
This commit is contained in:
Murali Paluru 2020-01-07 18:01:07 +05:30 committed by Liz Rice
parent 5f34058dc7
commit 48e33d33e5
4 changed files with 45 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cfg/cis-1.3/master.yaml
View File

@ -1437,7 +1437,7 @@ groups:
scored: false
- id: 1.7.2
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1445,7 +1445,7 @@ groups:
scored: false
- id: 1.7.3
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1453,7 +1453,7 @@ groups:
scored: false
- id: 1.7.4
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1461,7 +1461,7 @@ groups:
scored: false
- id: 1.7.5
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)"
text: "Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual"
remediation: |
[Manual test]

38
cfg/cis-1.4/master.yaml
View File

@ -497,6 +497,21 @@ groups:
scored: true
- id: 1.1.30
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverconf on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.1.31
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
@ -512,21 +527,6 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false
- id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverconf on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
@ -1501,7 +1501,7 @@ groups:
scored: false
- id: 1.7.2
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)"
text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1509,7 +1509,7 @@ groups:
scored: false
- id: 1.7.3
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)"
text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1517,7 +1517,7 @@ groups:
scored: false
- id: 1.7.4
text: "Do not admit containers wishing to share the host network namespace (Not Scored)"
text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual"
remediation: |
[Manual test]
@ -1525,7 +1525,7 @@ groups:
scored: false
- id: 1.7.5
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)"
text: " Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual"
remediation: |
[Manual test]

22
integration/testdata/job-master.data vendored
View File

@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a
value that includes Node.

22
integration/testdata/job.data vendored
View File

@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file>
1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a
value that includes Node.