arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 08:08:07 +00:00
Code Issues Releases Wiki Activity

Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5 (#641)

Browse Source 
* Add tests for 1.1.19、1.1.20 and 1.1.21 of cis-1.5

* Avoid division by 0

* Use bitmask instead of lte

* Change to use multiple values via `use_multiple_values: true`

* Use find in 1.1.20 and 1.1.21
This commit is contained in:
Huang Huang 2020-08-10 04:44:42 +08:00 committed by GitHub
parent a6161aa868
commit 6684979741
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
cfg/cis-1.5/master.yaml
View File

@ -287,8 +287,15 @@ groups:
- id: 1.1.19 - id: 1.1.19
text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)" text: "Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)"
audit: "ls -laR /etc/kubernetes/pki/" audit: "find /etc/kubernetes/pki/ | xargs stat -c %U:%G"
type: "manual" use_multiple_values: true
tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: "root:root"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
@ -297,8 +304,15 @@ groups:
- id: 1.1.20 - id: 1.1.20
text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)"
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.crt" audit: "find /etc/kubernetes/pki -name '*.crt' | xargs stat -c permissions=%a"
type: "manual" use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "644"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,
@ -307,8 +321,15 @@ groups:
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)" text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)"
audit: "stat -c %n\ %a /etc/kubernetes/pki/*.key" audit: "find /etc/kubernetes/pki -name '*.key' | xargs stat -c permissions=%a"
type: "manual" use_multiple_values: true
tests:
test_items:
- flag: "permissions"
compare:
op: bitmask
value: "600"
set: true
remediation: | remediation: |
Run the below command (based on the file location on your system) on the master node. Run the below command (based on the file location on your system) on the master node.
For example, For example,

22
integration/testdata/cis-1.5/job-master.data vendored
View File

@ -18,9 +18,9 @@
[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored) [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
[INFO] 1.2 API Server [INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -84,18 +84,6 @@ ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd For example, chown etcd:etcd /var/lib/etcd
1.1.19 Run the below command (based on the file location on your system) on the master node.
For example,
chown -R root:root /etc/kubernetes/pki/
1.1.20 Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /etc/kubernetes/pki/*.crt
1.1.21 Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter. on the master node and set the below parameter.
--anonymous-auth=false --anonymous-auth=false
@ -182,7 +170,7 @@ on the master node and set the below parameter.
== Summary == == Summary ==
41 checks PASS 44 checks PASS
13 checks FAIL 13 checks FAIL
11 checks WARN 8 checks WARN
0 checks INFO 0 checks INFO

22
integration/testdata/cis-1.5/job.data vendored
View File

@ -18,9 +18,9 @@
[PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored) [PASS] 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Scored)
[PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Scored)
[PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored) [PASS] 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Scored)
[WARN] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) [PASS] 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored)
[WARN] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored) [PASS] 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored)
[WARN] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) [PASS] 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored)
[INFO] 1.2 API Server [INFO] 1.2 API Server
[WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) [WARN] 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored)
[PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored) [PASS] 1.2.2 Ensure that the --basic-auth-file argument is not set (Scored)
@ -84,18 +84,6 @@ ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd For example, chown etcd:etcd /var/lib/etcd
1.1.19 Run the below command (based on the file location on your system) on the master node.
For example,
chown -R root:root /etc/kubernetes/pki/
1.1.20 Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 644 /etc/kubernetes/pki/*.crt
1.1.21 Run the below command (based on the file location on your system) on the master node.
For example,
chmod -R 600 /etc/kubernetes/pki/*.key
1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml 1.2.1 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter. on the master node and set the below parameter.
--anonymous-auth=false --anonymous-auth=false
@ -182,9 +170,9 @@ on the master node and set the below parameter.
== Summary == == Summary ==
41 checks PASS 44 checks PASS
13 checks FAIL 13 checks FAIL
11 checks WARN 8 checks WARN
0 checks INFO 0 checks INFO
[INFO] 2 Etcd Node Configuration [INFO] 2 Etcd Node Configuration
[INFO] 2 Etcd Node Configuration Files [INFO] 2 Etcd Node Configuration Files