mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-23 15:18:07 +00:00
fix: k3s-cis-*- CHECK 4.2.1-4.2.3 (#1739)
* fix the node kubelet related tests * update the tests
This commit is contained in:
parent
3ee8299bc4
commit
64bc05354b
@ -186,7 +186,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.2.1
|
- id: 4.2.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: "--anonymous-auth"
|
||||||
@ -209,7 +209,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "authorization-mode" | grep -v grep; else echo "--authorization-mode=Webhook"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --authorization-mode
|
- flag: --authorization-mode
|
||||||
@ -231,7 +231,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.3
|
- id: 4.2.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "client-ca-file" | grep -v grep; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --client-ca-file
|
- flag: --client-ca-file
|
||||||
|
@ -156,7 +156,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.2.1
|
- id: 4.2.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: "--anonymous-auth"
|
||||||
@ -179,7 +179,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --authorization-mode
|
- flag: --authorization-mode
|
||||||
@ -202,7 +202,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.3
|
- id: 4.2.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --client-ca-file
|
- flag: --client-ca-file
|
||||||
|
@ -152,7 +152,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.2.1
|
- id: 4.2.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: "--anonymous-auth"
|
||||||
@ -174,7 +174,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
||||||
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
|
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -197,7 +197,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.3
|
- id: 4.2.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --client-ca-file
|
- flag: --client-ca-file
|
||||||
|
@ -152,7 +152,7 @@ groups:
|
|||||||
checks:
|
checks:
|
||||||
- id: 4.2.1
|
- id: 4.2.1
|
||||||
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "anonymous-auth" | grep -v grep; else echo "--anonymous-auth=false"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: "--anonymous-auth"
|
- flag: "--anonymous-auth"
|
||||||
@ -174,7 +174,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.2
|
- id: 4.2.2
|
||||||
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "authorization-mode"; else echo "--authorization-mode=Webhook"; fi'' '
|
||||||
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
|
audit_config: "/bin/sh -c 'if test -e $kubeletconf; then /bin/cat $kubeletconf; fi' "
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
@ -197,7 +197,7 @@ groups:
|
|||||||
|
|
||||||
- id: 4.2.3
|
- id: 4.2.3
|
||||||
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
|
||||||
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s | grep "Running kube-apiserver" | wc -l) -gt 0; then journalctl -m -u k3s | grep "Running kube-apiserver" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
audit: '/bin/sh -c ''if test $(journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | wc -l) -gt 0; then journalctl -m -u k3s -u k3s-agent | grep "Running kubelet" | tail -n1 | grep "client-ca-file"; else echo "--client-ca-file=/var/lib/rancher/k3s/server/tls/request-header-ca.crt"; fi'' '
|
||||||
tests:
|
tests:
|
||||||
test_items:
|
test_items:
|
||||||
- flag: --client-ca-file
|
- flag: --client-ca-file
|
||||||
|
Loading…
Reference in New Issue
Block a user