arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

fix mismatching checks, tests (#544)

Browse Source
This commit is contained in:
Murali Paluru 2020-01-07 18:01:07 +05:30 committed by Liz Rice
parent 5f34058dc7
commit 48e33d33e5
4 changed files with 45 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cfg/cis-1.3/master.yaml
View File

@ -1437,7 +1437,7 @@ groups:
scored: false scored: false
- id: 1.7.2 - id: 1.7.2
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1445,7 +1445,7 @@ groups:
scored: false scored: false
- id: 1.7.3 - id: 1.7.3
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1453,7 +1453,7 @@ groups:
scored: false scored: false
- id: 1.7.4 - id: 1.7.4
text: "Do not admit containers wishing to share the host network namespace (Not Scored)" text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1461,7 +1461,7 @@ groups:
scored: false scored: false
- id: 1.7.5 - id: 1.7.5
text: "Do not admit containers with allowPrivilegeEscalation (Not Scored)" text: "Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]

38
cfg/cis-1.4/master.yaml
View File

@ -497,6 +497,21 @@ groups:
scored: true scored: true
- id: 1.1.30 - id: 1.1.30
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverconf on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.1.31
text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
@ -512,21 +527,6 @@ groups:
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false scored: false
- id: 1.1.31
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
tests:
test_items:
- flag: "--etcd-cafile"
set: true
remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file
$apiserverconf on the master node and set the etcd
certificate authority file parameter.
--etcd-cafile=<path/to/ca-file>
scored: true
- id: 1.1.32 - id: 1.1.32
text: "Ensure that the --authorization-mode argument is set to Node (Scored)" text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
@ -1501,7 +1501,7 @@ groups:
scored: false scored: false
- id: 1.7.2 - id: 1.7.2
text: "Do not admit containers wishing to share the host process ID namespace (Not Scored)" text: "Do not admit containers wishing to share the host process ID namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1509,7 +1509,7 @@ groups:
scored: false scored: false
- id: 1.7.3 - id: 1.7.3
text: "Do not admit containers wishing to share the host IPC namespace (Not Scored)" text: "Do not admit containers wishing to share the host IPC namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1517,7 +1517,7 @@ groups:
scored: false scored: false
- id: 1.7.4 - id: 1.7.4
text: "Do not admit containers wishing to share the host network namespace (Not Scored)" text: "Do not admit containers wishing to share the host network namespace (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]
@ -1525,7 +1525,7 @@ groups:
scored: false scored: false
- id: 1.7.5 - id: 1.7.5
text: " Do not admit containers with allowPrivilegeEscalation (Not Scored)" text: " Do not admit containers with allowPrivilegeEscalation (Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
[Manual test] [Manual test]

22
integration/testdata/job-master.data vendored
View File

@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) [FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored) [FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored) [FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored) [WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies [INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored) [WARN] 1.7.1 Do not admit privileged containers (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored) [WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored) [WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored) [WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored) [WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored) [WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored) [WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file. on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter. certificate authority file parameter.
--etcd-cafile=<path/to/ca-file> --etcd-cafile=<path/to/ca-file>
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a on the master node and set the --authorization-mode parameter to a
value that includes Node. value that includes Node.

22
integration/testdata/job.data vendored
View File

@ -29,8 +29,8 @@
[PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored) [PASS] 1.1.27 Ensure that the admission control plugin ServiceAccount is set(Scored)
[FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) [FAIL] 1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)
[FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored) [FAIL] 1.1.29 Ensure that the --client-ca-file argument is set as appropriate (Scored)
[WARN] 1.1.30 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) [FAIL] 1.1.30 Ensure that the --etcd-cafile argument is set as appropriate (Scored)
[FAIL] 1.1.31 Ensure that the --etcd-cafile argument is set as appropriate (Scored) [WARN] 1.1.31 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)
[FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored) [FAIL] 1.1.32 Ensure that the --authorization-mode argument is set to Node (Scored)
[FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored) [FAIL] 1.1.33 Ensure that the admission control plugin NodeRestriction is set (Scored)
[FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) [FAIL] 1.1.34 Ensure that the --encryption-provider-config argument is set as appropriate (Scored)
@ -92,10 +92,10 @@
[WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored) [WARN] 1.6.8 Place compensating controls in the form of PSP and RBAC for privileged containers usage (Not Scored)
[INFO] 1.7 PodSecurityPolicies [INFO] 1.7 PodSecurityPolicies
[WARN] 1.7.1 Do not admit privileged containers (Not Scored) [WARN] 1.7.1 Do not admit privileged containers (Not Scored)
[WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Not Scored) [WARN] 1.7.2 Do not admit containers wishing to share the host process ID namespace (Scored)
[WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Not Scored) [WARN] 1.7.3 Do not admit containers wishing to share the host IPC namespace (Scored)
[WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Not Scored) [WARN] 1.7.4 Do not admit containers wishing to share the host network namespace (Scored)
[WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Not Scored) [WARN] 1.7.5 Do not admit containers with allowPrivilegeEscalation (Scored)
[WARN] 1.7.6 Do not admit root containers (Not Scored) [WARN] 1.7.6 Do not admit root containers (Not Scored)
[WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored) [WARN] 1.7.7 Do not admit containers with dangerous capabilities (Not Scored)
@ -194,16 +194,16 @@ Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-
on the master node and set the client certificate authority file. on the master node and set the client certificate authority file.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
1.1.30 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.30 Follow the Kubernetes documentation and set up the TLS connection between the
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.31 Follow the Kubernetes documentation and set up the TLS connection between the
apiserver and etcd. Then, edit the API server pod specification file apiserver and etcd. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd
certificate authority file parameter. certificate authority file parameter.
--etcd-cafile=<path/to/ca-file> --etcd-cafile=<path/to/ca-file>
1.1.31 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.1.32 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --authorization-mode parameter to a on the master node and set the --authorization-mode parameter to a
value that includes Node. value that includes Node.