mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-24 15:38:06 +00:00
Fix definitions file to support move to bench-common.
This commit is contained in:
parent
5dba85ca47
commit
4bb5039517
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.6
|
version: 1.6
|
||||||
id: 3
|
id: 3
|
||||||
text: "Federated Deployments"
|
description: "Federated Deployments"
|
||||||
type: "federated"
|
type: "federated"
|
||||||
groups:
|
groups:
|
||||||
- id: 3.1
|
- id: 3.1
|
||||||
text: "Federation API Server"
|
description: "Federation API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.1.1
|
- id: 3.1.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.2
|
- id: 3.1.2
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -35,7 +35,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.3
|
- id: 3.1.3
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -46,7 +46,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.4
|
- id: 3.1.4
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -57,7 +57,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.5
|
- id: 3.1.5
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -71,7 +71,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.6
|
- id: 3.1.6
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -88,7 +88,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.7
|
- id: 3.1.7
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -102,7 +102,7 @@ groups:
|
|||||||
score: true
|
score: true
|
||||||
|
|
||||||
- id: 3.1.8
|
- id: 3.1.8
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -117,7 +117,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.9
|
- id: 3.1.9
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -131,7 +131,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.10
|
- id: 3.1.10
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -142,7 +142,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.11
|
- id: 3.1.11
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -156,7 +156,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.12
|
- id: 3.1.12
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -170,7 +170,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.13
|
- id: 3.1.13
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -184,7 +184,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.14
|
- id: 3.1.14
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -198,7 +198,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.15
|
- id: 3.1.15
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -210,7 +210,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.16
|
- id: 3.1.16
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -224,7 +224,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.17
|
- id: 3.1.17
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -235,7 +235,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.18
|
- id: 3.1.18
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -252,7 +252,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.19
|
- id: 3.1.19
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -268,10 +268,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.2
|
- id: 3.2
|
||||||
text: "Federation Controller Manager"
|
description: "Federation Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.2.1
|
- id: 3.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.6
|
version: 1.6
|
||||||
id: 1
|
id: 1
|
||||||
text: "Master Node Security Configuration"
|
description: "Master Node Security Configuration"
|
||||||
type: "master"
|
type: "master"
|
||||||
groups:
|
groups:
|
||||||
- id: 1.1
|
- id: 1.1
|
||||||
text: "API Server"
|
description: "API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.1.1
|
- id: 1.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
description: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.2
|
- id: 1.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -37,7 +37,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.3
|
- id: 1.1.3
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -50,7 +50,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 1.1.4
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -61,7 +61,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
description: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -78,7 +78,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.6
|
- id: 1.1.6
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -89,7 +89,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.7
|
- id: 1.1.7
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -103,7 +103,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.8
|
- id: 1.1.8
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -121,7 +121,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -135,7 +135,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.10
|
- id: 1.1.10
|
||||||
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -149,7 +149,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -163,7 +163,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.12
|
- id: 1.1.12
|
||||||
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -177,7 +177,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.13
|
- id: 1.1.13
|
||||||
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -191,7 +191,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.14
|
- id: 1.1.14
|
||||||
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -205,7 +205,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -219,7 +219,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -230,7 +230,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -244,7 +244,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.18
|
- id: 1.1.18
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -258,7 +258,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -272,7 +272,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.20
|
- id: 1.1.20
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -286,7 +286,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.21
|
- id: 1.1.21
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -298,7 +298,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.22
|
- id: 1.1.22
|
||||||
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -311,7 +311,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.23
|
- id: 1.1.23
|
||||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
|
description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -327,7 +327,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.24
|
- id: 1.1.24
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -341,7 +341,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.25
|
- id: 1.1.25
|
||||||
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -356,7 +356,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.26
|
- id: 1.1.26
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -367,7 +367,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.27
|
- id: 1.1.27
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -383,7 +383,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.28
|
- id: 1.1.28
|
||||||
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -398,7 +398,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.29
|
- id: 1.1.29
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -414,7 +414,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.30
|
- id: 1.1.30
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -426,7 +426,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.31
|
- id: 1.1.31
|
||||||
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -438,10 +438,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2
|
- id: 1.2
|
||||||
text: "Scheduler"
|
description: "Scheduler"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.2.1
|
- id: 1.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -455,10 +455,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3
|
- id: 1.3
|
||||||
text: "Controller Manager"
|
description: "Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.3.1
|
- id: 1.3.1
|
||||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -469,7 +469,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.2
|
- id: 1.3.2
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -483,7 +483,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.3
|
- id: 1.3.3
|
||||||
text: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
description: "Ensure that the --insecure-experimental-approve-all-kubelet-csrs-for-group argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -495,7 +495,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.4
|
- id: 1.3.4
|
||||||
text: "Ensure that the --use-service-account-credentials argument is set"
|
description: "Ensure that the --use-service-account-credentials argument is set"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -509,7 +509,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.5
|
- id: 1.3.5
|
||||||
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -520,7 +520,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.6
|
- id: 1.3.6
|
||||||
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -531,10 +531,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4
|
- id: 1.4
|
||||||
text: "Configure Files"
|
description: "Configure Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||||||
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -560,7 +560,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.2
|
- id: 1.4.2
|
||||||
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
description: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -574,7 +574,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -599,7 +599,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.4
|
- id: 1.4.4
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
description: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -613,7 +613,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -638,7 +638,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.6
|
- id: 1.4.6
|
||||||
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
description: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -652,7 +652,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -677,7 +677,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.8
|
- id: 1.4.8
|
||||||
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -691,7 +691,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -716,7 +716,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.10
|
- id: 1.4.10
|
||||||
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
description: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
|
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -730,7 +730,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.11
|
- id: 1.4.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -747,7 +747,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.12
|
- id: 1.4.12
|
||||||
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
|
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -761,10 +761,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5
|
- id: 1.5
|
||||||
text: "etcd"
|
description: "etcd"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.5.1
|
- id: 1.5.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -776,7 +776,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.2
|
- id: 1.5.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -792,7 +792,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.3
|
- id: 1.5.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -810,7 +810,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.4
|
- id: 1.5.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -825,7 +825,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.5
|
- id: 1.5.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -843,7 +843,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.6
|
- id: 1.5.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -864,7 +864,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.7
|
- id: 1.5.7
|
||||||
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -877,7 +877,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.8
|
- id: 1.5.8
|
||||||
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
description: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -893,7 +893,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.9
|
- id: 1.5.9
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -904,16 +904,16 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6
|
- id: 1.6
|
||||||
text: "General Security Primitives"
|
description: "General Security Primitives"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.6.1
|
- id: 1.6.1
|
||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.2
|
- id: 1.6.2
|
||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
description: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
||||||
@ -921,27 +921,27 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.3
|
- id: 1.6.3
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
description: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
need them."
|
need them."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.4
|
- id: 1.6.4
|
||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
description: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.5
|
- id: 1.6.5
|
||||||
text: "Avoid using Kubernetes Secrets (Not Scored)"
|
description: "Avoid using Kubernetes Secrets (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
|
remediation: "Use other mechanisms such as vaults to manage your cluster secrets."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
|
|
||||||
- id: 1.6.6
|
- id: 1.6.6
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
would need to enable alpha features in the apiserver by passing \"--feature-
|
||||||
@ -952,7 +952,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.7
|
- id: 1.6.7
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
description: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
@ -960,7 +960,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.8
|
- id: 1.6.8
|
||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.6
|
version: 1.6
|
||||||
id: 2
|
id: 2
|
||||||
text: "Worker Node Security Configuration"
|
description: "Worker Node Security Configuration"
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Kubelet"
|
description: "Kubelet"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 2.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
description: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 2.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -37,7 +37,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 2.1.3
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -51,7 +51,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 2.1.4
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -63,7 +63,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 2.1.5
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -77,7 +77,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 2.1.6
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -91,7 +91,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 2.1.7
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -105,7 +105,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 2.1.8
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -122,7 +122,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.9
|
- id: 2.1.9
|
||||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -136,7 +136,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 2.1.10
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
description: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -147,7 +147,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
description: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -161,7 +161,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -176,7 +176,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 2.1.13
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -190,10 +190,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Configuration Files"
|
description: "Configuration Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -218,7 +218,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
description: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %U:%G $config; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -232,7 +232,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -257,7 +257,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
description: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -268,7 +268,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -293,7 +293,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
description: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.7
|
version: 1.7
|
||||||
id: 3
|
id: 3
|
||||||
text: "Federated Deployments"
|
description: "Federated Deployments"
|
||||||
type: "federated"
|
type: "federated"
|
||||||
groups:
|
groups:
|
||||||
- id: 3.1
|
- id: 3.1
|
||||||
text: "Federation API Server"
|
description: "Federation API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.1.1
|
- id: 3.1.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.2
|
- id: 3.1.2
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -35,7 +35,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.3
|
- id: 3.1.3
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -46,7 +46,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.4
|
- id: 3.1.4
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -57,7 +57,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.5
|
- id: 3.1.5
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -71,7 +71,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.6
|
- id: 3.1.6
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -88,7 +88,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.7
|
- id: 3.1.7
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -102,7 +102,7 @@ groups:
|
|||||||
score: true
|
score: true
|
||||||
|
|
||||||
- id: 3.1.8
|
- id: 3.1.8
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -117,7 +117,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.9
|
- id: 3.1.9
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -131,7 +131,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.10
|
- id: 3.1.10
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -142,7 +142,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.11
|
- id: 3.1.11
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -156,7 +156,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.12
|
- id: 3.1.12
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -170,7 +170,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.13
|
- id: 3.1.13
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -184,7 +184,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.14
|
- id: 3.1.14
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -198,7 +198,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.15
|
- id: 3.1.15
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -210,7 +210,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.16
|
- id: 3.1.16
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -224,7 +224,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.17
|
- id: 3.1.17
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -235,7 +235,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.18
|
- id: 3.1.18
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -252,7 +252,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.19
|
- id: 3.1.19
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -268,10 +268,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.2
|
- id: 3.2
|
||||||
text: "Federation Controller Manager"
|
description: "Federation Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.2.1
|
- id: 3.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.7
|
version: 1.7
|
||||||
id: 1
|
id: 1
|
||||||
text: "Master Node Security Configuration"
|
description: "Master Node Security Configuration"
|
||||||
type: "master"
|
type: "master"
|
||||||
groups:
|
groups:
|
||||||
- id: 1.1
|
- id: 1.1
|
||||||
text: "API Server"
|
description: "API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.1.1
|
- id: 1.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
description: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.2
|
- id: 1.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -37,7 +37,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.3
|
- id: 1.1.3
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -50,7 +50,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 1.1.4
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -61,7 +61,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
description: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -78,7 +78,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.6
|
- id: 1.1.6
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -89,7 +89,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.7
|
- id: 1.1.7
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -103,7 +103,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.8
|
- id: 1.1.8
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -121,7 +121,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -135,7 +135,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.10
|
- id: 1.1.10
|
||||||
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -149,7 +149,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -163,7 +163,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.12
|
- id: 1.1.12
|
||||||
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -177,7 +177,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.13
|
- id: 1.1.13
|
||||||
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -191,7 +191,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.14
|
- id: 1.1.14
|
||||||
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -205,7 +205,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -219,7 +219,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -230,7 +230,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -244,7 +244,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.18
|
- id: 1.1.18
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -258,7 +258,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -272,7 +272,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.20
|
- id: 1.1.20
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -286,7 +286,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.21
|
- id: 1.1.21
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -298,7 +298,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.22
|
- id: 1.1.22
|
||||||
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -311,7 +311,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.23
|
- id: 1.1.23
|
||||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
|
description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -327,7 +327,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.24
|
- id: 1.1.24
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -341,7 +341,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.25
|
- id: 1.1.25
|
||||||
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -356,7 +356,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.26
|
- id: 1.1.26
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -367,7 +367,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.27
|
- id: 1.1.27
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -383,7 +383,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.28
|
- id: 1.1.28
|
||||||
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -398,7 +398,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.29
|
- id: 1.1.29
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: and
|
bin_op: and
|
||||||
@ -414,7 +414,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.30
|
- id: 1.1.30
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -426,7 +426,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.31
|
- id: 1.1.31
|
||||||
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -438,7 +438,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.32
|
- id: 1.1.32
|
||||||
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
|
description: "Ensure that the --authorization-mode argument is set to Node (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -454,7 +454,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.33
|
- id: 1.1.33
|
||||||
text: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
|
description: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -469,7 +469,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.34
|
- id: 1.1.34
|
||||||
text: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
|
description: "1.1.34 Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -481,7 +481,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.35
|
- id: 1.1.35
|
||||||
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
description: "Ensure that the encryption provider is set to aescbc (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
|
||||||
@ -489,10 +489,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2
|
- id: 1.2
|
||||||
text: "Scheduler"
|
description: "Scheduler"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.2.1
|
- id: 1.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -506,10 +506,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3
|
- id: 1.3
|
||||||
text: "Controller Manager"
|
description: "Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.3.1
|
- id: 1.3.1
|
||||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -520,7 +520,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.2
|
- id: 1.3.2
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -534,7 +534,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.3
|
- id: 1.3.3
|
||||||
text: "Ensure that the --use-service-account-credentials argument is set"
|
description: "Ensure that the --use-service-account-credentials argument is set"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -548,7 +548,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.4
|
- id: 1.3.4
|
||||||
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -559,7 +559,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.5
|
- id: 1.3.5
|
||||||
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -570,7 +570,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.6
|
- id: 1.3.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
description: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
|
||||||
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
|
||||||
@ -578,7 +578,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.3.7
|
- id: 1.3.7
|
||||||
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -593,10 +593,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4
|
- id: 1.4
|
||||||
text: "Configure Files"
|
description: "Configure Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)"
|
||||||
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -622,7 +622,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.2
|
- id: 1.4.2
|
||||||
text: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
description: "Ensure that the apiserver file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -636,7 +636,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -661,7 +661,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.4
|
- id: 1.4.4
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
description: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -675,7 +675,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -700,7 +700,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.6
|
- id: 1.4.6
|
||||||
text: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
description: "Ensure that the scheduler file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -714,7 +714,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -739,7 +739,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.8
|
- id: 1.4.8
|
||||||
text: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the etcd.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -753,7 +753,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -778,7 +778,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.10
|
- id: 1.4.10
|
||||||
text: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
description: "Ensure that the flanneld file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
|
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %U:%G $flanneldconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -792,7 +792,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.11
|
- id: 1.4.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -v grep | sed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -809,7 +809,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.12
|
- id: 1.4.12
|
||||||
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
|
audit: ps -ef | grep $etcdbin | grep -v grep | ed 's%.*data-dir[= ]\(\S*\)%\1%' | xargs stat -c %U:%G
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -823,10 +823,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5
|
- id: 1.5
|
||||||
text: "etcd"
|
description: "etcd"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.5.1
|
- id: 1.5.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -838,7 +838,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.2
|
- id: 1.5.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -854,7 +854,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.3
|
- id: 1.5.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -872,7 +872,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.4
|
- id: 1.5.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -887,7 +887,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.5
|
- id: 1.5.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -905,7 +905,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.6
|
- id: 1.5.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -926,7 +926,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.7
|
- id: 1.5.7
|
||||||
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -939,7 +939,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.8
|
- id: 1.5.8
|
||||||
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
description: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -955,7 +955,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.9
|
- id: 1.5.9
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -966,16 +966,16 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6
|
- id: 1.6
|
||||||
text: "General Security Primitives"
|
description: "General Security Primitives"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.6.1
|
- id: 1.6.1
|
||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.2
|
- id: 1.6.2
|
||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
description: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
|
||||||
@ -983,20 +983,20 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.3
|
- id: 1.6.3
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
description: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
need them."
|
need them."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.4
|
- id: 1.6.4
|
||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
description: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.5
|
- id: 1.6.5
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
description: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
|
||||||
would need to enable alpha features in the apiserver by passing \"--feature-
|
would need to enable alpha features in the apiserver by passing \"--feature-
|
||||||
@ -1007,7 +1007,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.6
|
- id: 1.6.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
description: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
|
||||||
@ -1015,13 +1015,13 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.7
|
- id: 1.6.7
|
||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
remediation: "Follow the Kubernetes documentation and setup image provenance."
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.8
|
- id: 1.6.8
|
||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
description: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
|
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
|
||||||
scored: false
|
scored: false
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.7
|
version: 1.7
|
||||||
id: 2
|
id: 2
|
||||||
text: "Worker Node Security Configuration"
|
description: "Worker Node Security Configuration"
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Kubelet"
|
description: "Kubelet"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 2.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
description: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -23,7 +23,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 2.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -37,7 +37,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 2.1.3
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -51,7 +51,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 2.1.4
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -63,7 +63,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 2.1.5
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -77,7 +77,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 2.1.6
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -92,7 +92,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 2.1.7
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -106,7 +106,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 2.1.8
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -123,7 +123,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.9
|
- id: 2.1.9
|
||||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -137,7 +137,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 2.1.10
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
description: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -148,7 +148,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
description: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -162,7 +162,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -177,7 +177,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 2.1.13
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -191,7 +191,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.14
|
- id: 2.1.14
|
||||||
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
description: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -205,7 +205,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.15
|
- id: 2.1.15
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
description: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -219,10 +219,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Configuration Files"
|
description: "Configuration Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %a $kubernetesconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -247,7 +247,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the config file ownership is set to root:root (Scored)"
|
description: "Ensure that the config file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubernetesconf; then stat -c %U:%G $kubernetesconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -261,7 +261,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -286,7 +286,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
description: "Ensure that the kubelet file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -297,7 +297,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
description: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -322,7 +322,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
description: "Ensure that the proxy file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -333,7 +333,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
description: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -359,7 +359,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.8
|
- id: 2.2.8
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root"
|
description: "Ensure that the client certificate authorities file ownership is set to root:root"
|
||||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.8
|
version: 1.8
|
||||||
id: 3
|
id: 3
|
||||||
text: "Federated Deployments"
|
description: "Federated Deployments"
|
||||||
type: "federated"
|
type: "federated"
|
||||||
groups:
|
groups:
|
||||||
- id: 3.1
|
- id: 3.1
|
||||||
text: "Federation API Server"
|
description: "Federation API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.1.1
|
- id: 3.1.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -24,7 +24,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.2
|
- id: 3.1.2
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -37,7 +37,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.3
|
- id: 3.1.3
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -49,7 +49,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.4
|
- id: 3.1.4
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -61,7 +61,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.5
|
- id: 3.1.5
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -76,7 +76,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.6
|
- id: 3.1.6
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -94,7 +94,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.7
|
- id: 3.1.7
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -109,7 +109,7 @@ groups:
|
|||||||
score: true
|
score: true
|
||||||
|
|
||||||
- id: 3.1.8
|
- id: 3.1.8
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -125,7 +125,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.9
|
- id: 3.1.9
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -141,7 +141,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.10
|
- id: 3.1.10
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -152,7 +152,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.11
|
- id: 3.1.11
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -167,7 +167,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.12
|
- id: 3.1.12
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -182,7 +182,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.13
|
- id: 3.1.13
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -197,7 +197,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.14
|
- id: 3.1.14
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -213,7 +213,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.15
|
- id: 3.1.15
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -226,7 +226,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.16
|
- id: 3.1.16
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -241,7 +241,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.17
|
- id: 3.1.17
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -253,7 +253,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.18
|
- id: 3.1.18
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
|
||||||
appropriate (Scored)"
|
appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -272,7 +272,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.1.19
|
- id: 3.1.19
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as
|
||||||
appropriate (Scored)"
|
appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
audit: "ps -ef | grep $fedapiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -291,10 +291,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 3.2
|
- id: 3.2
|
||||||
text: "Federation Controller Manager"
|
description: "Federation Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 3.2.1
|
- id: 3.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $fedcontrollermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.8
|
version: 1.8
|
||||||
id: 1
|
id: 1
|
||||||
text: "Master Node Security Configuration"
|
description: "Master Node Security Configuration"
|
||||||
type: "master"
|
type: "master"
|
||||||
groups:
|
groups:
|
||||||
- id: 1.1
|
- id: 1.1
|
||||||
text: "API Server"
|
description: "API Server"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.1.1
|
- id: 1.1.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -26,7 +26,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.2
|
- id: 1.1.2
|
||||||
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
description: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -40,7 +40,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.3
|
- id: 1.1.3
|
||||||
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
description: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -53,7 +53,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.4
|
- id: 1.1.4
|
||||||
text: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
description: "Ensure that the --kubelet-https argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -71,7 +71,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.5
|
- id: 1.1.5
|
||||||
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
description: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -84,7 +84,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.6
|
- id: 1.1.6
|
||||||
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
description: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -100,7 +100,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.7
|
- id: 1.1.7
|
||||||
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
description: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -119,7 +119,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.8
|
- id: 1.1.8
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -135,7 +135,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.9
|
- id: 1.1.9
|
||||||
text: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
description: "Ensure that the --repair-malformed-updates argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -151,7 +151,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.10
|
- id: 1.1.10
|
||||||
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
description: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -167,7 +167,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.11
|
- id: 1.1.11
|
||||||
text: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
description: "Ensure that the admission control policy is set to AlwaysPullImages (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -184,7 +184,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.12
|
- id: 1.1.12
|
||||||
text: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
description: "Ensure that the admission control policy is set to DenyEscalatingExec (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -201,7 +201,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.13
|
- id: 1.1.13
|
||||||
text: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
description: "Ensure that the admission control policy is set to SecurityContextDeny (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -218,7 +218,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.14
|
- id: 1.1.14
|
||||||
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
description: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -235,7 +235,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.15
|
- id: 1.1.15
|
||||||
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
description: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -249,7 +249,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.16
|
- id: 1.1.16
|
||||||
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -266,7 +266,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.17
|
- id: 1.1.17
|
||||||
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -283,7 +283,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.18
|
- id: 1.1.18
|
||||||
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
description: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -300,7 +300,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.19
|
- id: 1.1.19
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -317,7 +317,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.20
|
- id: 1.1.20
|
||||||
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
description: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -331,7 +331,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.21
|
- id: 1.1.21
|
||||||
text: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
description: "Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -347,7 +347,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.22
|
- id: 1.1.22
|
||||||
text: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are
|
description: "Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are
|
||||||
set as appropriate (Scored)"
|
set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -367,7 +367,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.23
|
- id: 1.1.23
|
||||||
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
description: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -383,7 +383,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.24
|
- id: 1.1.24
|
||||||
text: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
description: "Ensure that the admission control policy is set to PodSecurityPolicy (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -403,7 +403,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.25
|
- id: 1.1.25
|
||||||
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -417,7 +417,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.26
|
- id: 1.1.26
|
||||||
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
|
description: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
|
||||||
appropriate (Scored)"
|
appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -437,7 +437,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.27
|
- id: 1.1.27
|
||||||
text: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
description: "Ensure that the admission control policy is set to ServiceAccount (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -455,7 +455,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.28
|
- id: 1.1.28
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set
|
||||||
as appropriate (Scored)"
|
as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -475,7 +475,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.29
|
- id: 1.1.29
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -489,7 +489,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.30
|
- id: 1.1.30
|
||||||
text: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
description: "Ensure that the --etcd-cafile argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -504,7 +504,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.31
|
- id: 1.1.31
|
||||||
text: "Ensure that the --authorization-mode argument is set to Node (Scored)"
|
description: "Ensure that the --authorization-mode argument is set to Node (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -521,7 +521,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.32
|
- id: 1.1.32
|
||||||
text: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
|
description: "Ensure that the admission control policy is set to NodeRestriction (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -539,7 +539,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.33
|
- id: 1.1.33
|
||||||
text: "Ensure that the --experimental-encryption-provider-config argument is
|
description: "Ensure that the --experimental-encryption-provider-config argument is
|
||||||
set as appropriate (Scored)"
|
set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -555,7 +555,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.34
|
- id: 1.1.34
|
||||||
text: "Ensure that the encryption provider is set to aescbc (Scored)"
|
description: "Ensure that the encryption provider is set to aescbc (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -575,7 +575,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.35
|
- id: 1.1.35
|
||||||
text: "Ensure that the admission control policy is set to EventRateLimit (Scored)"
|
description: "Ensure that the admission control policy is set to EventRateLimit (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -593,7 +593,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.36
|
- id: 1.1.36
|
||||||
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
|
description: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -604,7 +604,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.1.37
|
- id: 1.1.37
|
||||||
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
|
description: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
audit: "ps -ef | grep $apiserverbin | grep -v grep"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -614,10 +614,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.2
|
- id: 1.2
|
||||||
text: "Scheduler"
|
description: "Scheduler"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.2.1
|
- id: 1.2.1
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
audit: "ps -ef | grep $schedulerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -634,10 +634,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3
|
- id: 1.3
|
||||||
text: "Controller Manager"
|
description: "Controller Manager"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.3.1
|
- id: 1.3.1
|
||||||
text: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
description: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -650,7 +650,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.2
|
- id: 1.3.2
|
||||||
text: "Ensure that the --profiling argument is set to false (Scored)"
|
description: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -666,7 +666,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.3
|
- id: 1.3.3
|
||||||
text: "Ensure that the --use-service-account-credentials argument is set (Scored)"
|
description: "Ensure that the --use-service-account-credentials argument is set (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -682,7 +682,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.4
|
- id: 1.3.4
|
||||||
text: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --service-account-private-key-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -696,7 +696,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.5
|
- id: 1.3.5
|
||||||
text: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --root-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -710,7 +710,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.3.6
|
- id: 1.3.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
description: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
@ -719,7 +719,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.3.7
|
- id: 1.3.7
|
||||||
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
description: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -736,10 +736,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4
|
- id: 1.4
|
||||||
text: "Configuration Files"
|
description: "Configuration Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.4.1
|
- id: 1.4.1
|
||||||
text: "Ensure that the API server pod specification file permissions are
|
description: "Ensure that the API server pod specification file permissions are
|
||||||
set to 644 or more restrictive (Scored)"
|
set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -767,7 +767,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.2
|
- id: 1.4.2
|
||||||
text: "Ensure that the API server pod specification file ownership is set to
|
description: "Ensure that the API server pod specification file ownership is set to
|
||||||
root:root (Scored)"
|
root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %U:%G $apiserverconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -784,7 +784,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.3
|
- id: 1.4.3
|
||||||
text: "Ensure that the controller manager pod specification file
|
description: "Ensure that the controller manager pod specification file
|
||||||
permissions are set to 644 or more restrictive (Scored)"
|
permissions are set to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -812,7 +812,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.4
|
- id: 1.4.4
|
||||||
text: "Ensure that the controller manager pod specification file
|
description: "Ensure that the controller manager pod specification file
|
||||||
ownership is set to root:root (Scored)"
|
ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -829,7 +829,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.5
|
- id: 1.4.5
|
||||||
text: "Ensure that the scheduler pod specification file permissions are set
|
description: "Ensure that the scheduler pod specification file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -857,7 +857,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.6
|
- id: 1.4.6
|
||||||
text: "Ensure that the scheduler pod specification file ownership is set to
|
description: "Ensure that the scheduler pod specification file ownership is set to
|
||||||
root:root (Scored)"
|
root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -874,7 +874,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.7
|
- id: 1.4.7
|
||||||
text: "Ensure that the etcd pod specification file permissions are set to
|
description: "Ensure that the etcd pod specification file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -902,7 +902,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.8
|
- id: 1.4.8
|
||||||
text: "Ensure that the etcd pod specification file ownership is set to
|
description: "Ensure that the etcd pod specification file ownership is set to
|
||||||
root:root (Scored)"
|
root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %U:%G $etcdconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -919,7 +919,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.9
|
- id: 1.4.9
|
||||||
text: "Ensure that the Container Network Interface file permissions are
|
description: "Ensure that the Container Network Interface file permissions are
|
||||||
set to 644 or more restrictive (Not Scored)"
|
set to 644 or more restrictive (Not Scored)"
|
||||||
audit: "stat -c %a <path/to/cni/files>"
|
audit: "stat -c %a <path/to/cni/files>"
|
||||||
type: manual
|
type: manual
|
||||||
@ -930,7 +930,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.10
|
- id: 1.4.10
|
||||||
text: "Ensure that the Container Network Interface file ownership is set
|
description: "Ensure that the Container Network Interface file ownership is set
|
||||||
to root:root (Not Scored)"
|
to root:root (Not Scored)"
|
||||||
audit: "stat -c %U:%G <path/to/cni/files>"
|
audit: "stat -c %U:%G <path/to/cni/files>"
|
||||||
type: manual
|
type: manual
|
||||||
@ -941,7 +941,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.11
|
- id: 1.4.11
|
||||||
text: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
description: "Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
|
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %a
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -959,7 +959,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.12
|
- id: 1.4.12
|
||||||
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
description: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
|
||||||
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
|
audit: ps -ef | grep $etcdbin | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%' | xargs stat -c %U:%G
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -974,7 +974,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.13
|
- id: 1.4.13
|
||||||
text: "Ensure that the admin.conf file permissions are set to 644 or
|
description: "Ensure that the admin.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %a /etc/kubernetes/admin.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -1002,7 +1002,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.14
|
- id: 1.4.14
|
||||||
text: "Ensure that the admin.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the admin.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
|
audit: "/bin/sh -c 'if test -e /etc/kubernetes/admin.conf; then stat -c %U:%G /etc/kubernetes/admin.conf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1018,7 +1018,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.15
|
- id: 1.4.15
|
||||||
text: "Ensure that the scheduler.conf file permissions are set to 644 or
|
description: "Ensure that the scheduler.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -1046,7 +1046,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.16
|
- id: 1.4.16
|
||||||
text: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the scheduler.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %U:%G $schedulerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1062,7 +1062,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.17
|
- id: 1.4.17
|
||||||
text: "Ensure that the controller-manager.conf file permissions are set
|
description: "Ensure that the controller-manager.conf file permissions are set
|
||||||
to 644 or more restrictive (Scored)"
|
to 644 or more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %a $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -1090,7 +1090,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.4.18
|
- id: 1.4.18
|
||||||
text: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the controller-manager.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
|
audit: "/bin/sh -c 'if test -e $controllermanagerconf; then stat -c %U:%G $controllermanagerconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1106,10 +1106,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5
|
- id: 1.5
|
||||||
text: "etcd"
|
description: "etcd"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.5.1
|
- id: 1.5.1
|
||||||
text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1126,7 +1126,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.2
|
- id: 1.5.2
|
||||||
text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1142,7 +1142,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.3
|
- id: 1.5.3
|
||||||
text: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -1160,7 +1160,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.4
|
- id: 1.5.4
|
||||||
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set
|
description: "Ensure that the --peer-cert-file and --peer-key-file arguments are set
|
||||||
as appropriate (Scored)"
|
as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
@ -1178,7 +1178,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.5
|
- id: 1.5.5
|
||||||
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
description: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1194,7 +1194,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.6
|
- id: 1.5.6
|
||||||
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
description: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -1213,7 +1213,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.7
|
- id: 1.5.7
|
||||||
text: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
description: "Ensure that the --wal-dir argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1226,7 +1226,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.8
|
- id: 1.5.8
|
||||||
text: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
description: "Ensure that the --max-wals argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1242,7 +1242,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 1.5.9
|
- id: 1.5.9
|
||||||
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
description: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
|
||||||
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
audit: "ps -ef | grep $etcdbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -1257,10 +1257,10 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6
|
- id: 1.6
|
||||||
text: "General Security Primitives"
|
description: "General Security Primitives"
|
||||||
checks:
|
checks:
|
||||||
- id: 1.6.1
|
- id: 1.6.1
|
||||||
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
description: "Ensure that the cluster-admin role is only used where required (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Remove any unneeded clusterrolebindings :
|
Remove any unneeded clusterrolebindings :
|
||||||
@ -1268,7 +1268,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.2
|
- id: 1.6.2
|
||||||
text: "Create Pod Security Policies for your cluster (Not Scored)"
|
description: "Create Pod Security Policies for your cluster (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
Follow the documentation and create and enforce Pod Security Policies for your cluster.
|
||||||
@ -1277,7 +1277,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.3
|
- id: 1.6.3
|
||||||
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
description: "Create administrative boundaries between resources using namespaces (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation and create namespaces for objects in your deployment as you
|
Follow the documentation and create namespaces for objects in your deployment as you
|
||||||
@ -1285,14 +1285,14 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.4
|
- id: 1.6.4
|
||||||
text: "Create network segmentation using Network Policies (Not Scored)"
|
description: "Create network segmentation using Network Policies (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the documentation and create NetworkPolicy objects as you need them.
|
Follow the documentation and create NetworkPolicy objects as you need them.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.5
|
- id: 1.6.5
|
||||||
text: "Ensure that the seccomp profile is set to docker/default in your pod
|
description: "Ensure that the seccomp profile is set to docker/default in your pod
|
||||||
definitions (Not Scored)"
|
definitions (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -1319,7 +1319,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.6
|
- id: 1.6.6
|
||||||
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
description: "Apply Security Context to Your Pods and Containers (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
Follow the Kubernetes documentation and apply security contexts to your pods. For a
|
||||||
@ -1328,14 +1328,14 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.7
|
- id: 1.6.7
|
||||||
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
description: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and setup image provenance.
|
Follow the Kubernetes documentation and setup image provenance.
|
||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.8
|
- id: 1.6.8
|
||||||
text: "Configure Network policies as appropriate (Not Scored)"
|
description: "Configure Network policies as appropriate (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
Follow the Kubernetes documentation and setup network policies as appropriate.
|
Follow the Kubernetes documentation and setup network policies as appropriate.
|
||||||
@ -1350,7 +1350,7 @@ groups:
|
|||||||
scored: false
|
scored: false
|
||||||
|
|
||||||
- id: 1.6.9
|
- id: 1.6.9
|
||||||
text: "Place compensating controls in the form of PSP and RBAC for
|
description: "Place compensating controls in the form of PSP and RBAC for
|
||||||
privileged containers usage (Not Scored)"
|
privileged containers usage (Not Scored)"
|
||||||
type: "manual"
|
type: "manual"
|
||||||
remediation: |
|
remediation: |
|
||||||
|
@ -2,14 +2,14 @@
|
|||||||
controls:
|
controls:
|
||||||
version: 1.8
|
version: 1.8
|
||||||
id: 2
|
id: 2
|
||||||
text: "Worker Node Security Configuration"
|
description: "Worker Node Security Configuration"
|
||||||
type: "node"
|
type: "node"
|
||||||
groups:
|
groups:
|
||||||
- id: 2.1
|
- id: 2.1
|
||||||
text: "Kubelet"
|
description: "Kubelet"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.1.1
|
- id: 2.1.1
|
||||||
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
description: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -28,7 +28,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.2
|
- id: 2.1.2
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
description: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -47,7 +47,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.3
|
- id: 2.1.3
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
description: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -66,7 +66,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.4
|
- id: 2.1.4
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
description: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -82,7 +82,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.5
|
- id: 2.1.5
|
||||||
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
description: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -101,7 +101,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.6
|
- id: 2.1.6
|
||||||
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
description: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -120,7 +120,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.7
|
- id: 2.1.7
|
||||||
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
description: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -139,7 +139,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.8
|
- id: 2.1.8
|
||||||
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
description: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
bin_op: or
|
bin_op: or
|
||||||
@ -159,7 +159,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.9
|
- id: 2.1.9
|
||||||
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
description: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -178,7 +178,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.10
|
- id: 2.1.10
|
||||||
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
description: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -194,7 +194,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.11
|
- id: 2.1.11
|
||||||
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
description: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -213,7 +213,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.12
|
- id: 2.1.12
|
||||||
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
description: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -235,7 +235,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.13
|
- id: 2.1.13
|
||||||
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
description: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -254,7 +254,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.14
|
- id: 2.1.14
|
||||||
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
description: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -274,7 +274,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.1.15
|
- id: 2.1.15
|
||||||
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
description: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
||||||
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -293,10 +293,10 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2
|
- id: 2.2
|
||||||
text: "Configuration Files"
|
description: "Configuration Files"
|
||||||
checks:
|
checks:
|
||||||
- id: 2.2.1
|
- id: 2.2.1
|
||||||
text: "Ensure that the kubelet.conf file permissions are set to 644 or
|
description: "Ensure that the kubelet.conf file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -324,7 +324,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.2
|
- id: 2.2.2
|
||||||
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
description: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -340,7 +340,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.3
|
- id: 2.2.3
|
||||||
text: "Ensure that the kubelet service file permissions are set to 644 or
|
description: "Ensure that the kubelet service file permissions are set to 644 or
|
||||||
more restrictive (Scored)"
|
more restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -368,7 +368,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.4
|
- id: 2.2.4
|
||||||
text: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
description: "2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %U:%G $kubeletconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -381,7 +381,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.5
|
- id: 2.2.5
|
||||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
|
description: "Ensure that the proxy kubeconfig file permissions are set to 644 or more
|
||||||
restrictive (Scored)"
|
restrictive (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
@ -409,7 +409,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.6
|
- id: 2.2.6
|
||||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
description: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||||
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %U:%G $proxyconf; fi'"
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -422,7 +422,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.7
|
- id: 2.2.7
|
||||||
text: "Ensure that the certificate authorities file permissions are set to
|
description: "Ensure that the certificate authorities file permissions are set to
|
||||||
644 or more restrictive (Scored)"
|
644 or more restrictive (Scored)"
|
||||||
type: manual
|
type: manual
|
||||||
remediation: |
|
remediation: |
|
||||||
@ -431,7 +431,7 @@ groups:
|
|||||||
scored: true
|
scored: true
|
||||||
|
|
||||||
- id: 2.2.8
|
- id: 2.2.8
|
||||||
text: "Ensure that the client certificate authorities file ownership is set to root:root"
|
description: "Ensure that the client certificate authorities file ownership is set to root:root"
|
||||||
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'"
|
||||||
type: manual
|
type: manual
|
||||||
remediation: |
|
remediation: |
|
||||||
|
Loading…
Reference in New Issue
Block a user