arno
/
kube-bench
mirror of https://github.com/aquasecurity/kube-bench.git
1
0
Fork 0
Code Issues Releases Wiki Activity

4.1.7 of cis-1.5 should not be marked as manual (#640)

Browse Source 
* 4.1.7 of cis-1.5 should not be marked as manual

* Making the test posix compliant like #643
pull/651/head
Huang Huang 4 years ago committed by GitHub
parent 50a9dca720
commit 66692951c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File

12
cfg/cis-1.5/node.yaml
Unescape View File

@ -99,7 +99,17 @@ groups:
- id: 4.1.7 - id: 4.1.7
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
types: "manual" audit: |
CAFILE=$(ps -ef | grep kubelet | grep -v apiserver | grep -- --client-ca-file= | awk -F '--client-ca-file=' '{print $2}' | awk '{print $1}')
if test -z $CAFILE; then CAFILE=$kubeletcafile; fi
if test -e $CAFILE; then stat -c permissions=%a $CAFILE; fi
tests:
test_items:
- flag: "permissions"
set: true
compare:
op: bitmask
value: "644"
remediation: | remediation: |
Run the following command to modify the file permissions of the Run the following command to modify the file permissions of the
--client-ca-file chmod 644 <filename> --client-ca-file chmod 644 <filename>

7
integration/testdata/cis-1.5/job-node.data vendored
Unescape View File

@ -6,7 +6,7 @@
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored) [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
@ -33,7 +33,6 @@ chmod 644 /etc/kubernetes/proxy.conf
4.1.4 Run the below command (based on the file location on your system) on the each worker node. 4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf For example, chown root:root /etc/kubernetes/proxy.conf
4.1.7 audit test did not run: There are no tests
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@ -81,7 +80,7 @@ systemctl restart kubelet.service
== Summary == == Summary ==
15 checks PASS 16 checks PASS
6 checks FAIL 6 checks FAIL
2 checks WARN 1 checks WARN
0 checks INFO 0 checks INFO

7
integration/testdata/cis-1.5/job.data vendored
Unescape View File

@ -231,7 +231,7 @@ minimum.
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored) [PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
[WARN] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
[PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
@ -258,7 +258,6 @@ chmod 644 /etc/kubernetes/proxy.conf
4.1.4 Run the below command (based on the file location on your system) on the each worker node. 4.1.4 Run the below command (based on the file location on your system) on the each worker node.
For example, chown root:root /etc/kubernetes/proxy.conf For example, chown root:root /etc/kubernetes/proxy.conf
4.1.7 audit test did not run: There are no tests
4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0. 4.2.4 If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
@ -306,9 +305,9 @@ systemctl restart kubelet.service
== Summary == == Summary ==
15 checks PASS 16 checks PASS
6 checks FAIL 6 checks FAIL
2 checks WARN 1 checks WARN
0 checks INFO 0 checks INFO
[INFO] 5 Kubernetes Policies [INFO] 5 Kubernetes Policies
[INFO] 5.1 RBAC and Service Accounts [INFO] 5.1 RBAC and Service Accounts

Write Preview
Loading…
Cancel
Save