mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 06:38:06 +00:00
Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5 (#641)
* Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5 * Avoid division by 0 * Use bitmask instead of lte * Change to use multiple values via `use_multiple_values: true` * Use find in 1.1.20 and 1.1.21
This commit is contained in:
parent
a6161aa868
commit
6684979741
@ -287,8 +287,15 @@ groups:
|
||||
|
||||
- id: 1.1.19
|
||||
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)"
|
||||
audit: "ls -laR /etc/kubernetes/pki/"
|
||||
type: "manual"
|
||||
audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
|
||||
use_multiple_values: true
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "root:root"
|
||||
compare:
|
||||
op: eq
|
||||
value: "root:root"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
@ -297,8 +304,15 @@ groups:
|
||||
|
||||
- id: 1.1.20
|
||||
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt"
|
||||
type: "manual"
|
||||
audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
|
||||
use_multiple_values: true
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
@ -307,8 +321,15 @@ groups:
|
||||
|
||||
- id: 1.1.21
|
||||
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)"
|
||||
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key"
|
||||
type: "manual"
|
||||
audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
|
||||
use_multiple_values: true
|
||||
tests:
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
|
22
integration/testdata/cis-1.5/job-master.data
vendored
22
integration/testdata/cis-1.5/job-master.data
vendored
@ -18,9 +18,9 @@
|
||||
[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
|
||||
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
||||
[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||
[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
||||
[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
||||
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
||||
[INFO] 1.2 API Server
|
||||
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
||||
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
||||
@ -84,18 +84,6 @@ ps -ef | grep etcd
|
||||
Run the below command (based on the etcd data directory found above).
|
||||
For example, chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.1.19 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.1.20 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.1.21 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||
on the master node and set the below parameter.
|
||||
--anonymous-auth=false
|
||||
@ -182,7 +170,7 @@ on the master node and set the below parameter.
|
||||
|
||||
|
||||
== Summary ==
|
||||
41 checks PASS
|
||||
44 checks PASS
|
||||
13 checks FAIL
|
||||
11 checks WARN
|
||||
8 checks WARN
|
||||
0 checks INFO
|
||||
|
22
integration/testdata/cis-1.5/job.data
vendored
22
integration/testdata/cis-1.5/job.data
vendored
@ -18,9 +18,9 @@
|
||||
[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
|
||||
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
|
||||
[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||
[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
||||
[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
||||
[PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
|
||||
[PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
|
||||
[INFO] 1.2 API Server
|
||||
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
|
||||
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
|
||||
@ -84,18 +84,6 @@ ps -ef | grep etcd
|
||||
Run the below command (based on the etcd data directory found above).
|
||||
For example, chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.1.19 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.1.20 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.1.21 Run the below command (based on the file location on your system) on the master node.
|
||||
For example,
|
||||
chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
|
||||
on the master node and set the below parameter.
|
||||
--anonymous-auth=false
|
||||
@ -182,9 +170,9 @@ on the master node and set the below parameter.
|
||||
|
||||
|
||||
== Summary ==
|
||||
41 checks PASS
|
||||
44 checks PASS
|
||||
13 checks FAIL
|
||||
11 checks WARN
|
||||
8 checks WARN
|
||||
0 checks INFO
|
||||
[INFO] 2 Etcd Node Configuration
|
||||
[INFO] 2 Etcd Node Configuration Files
|
||||
|
Loading…
Reference in New Issue
Block a user