1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-20 21:58:06 +00:00

Merge pull request #67 from aquasecurity/config-spacing

Remove odd spacing and line breaks from test config files
This commit is contained in:
Liz Rice 2017-11-02 11:14:03 +00:00 committed by GitHub
commit 85fb818e41
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 68 deletions

View File

@ -19,9 +19,8 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --anonymous-auth=false . Edit the deployment specs and set --anonymous-auth=false.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.2 - id: 3.1.2
@ -33,9 +32,8 @@ groups:
set: false set: false
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove "--basic-auth-file=<filename>" . edit the deployment specs and remove "--basic-auth-file=<filename>".
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.3 - id: 3.1.3
@ -46,9 +44,8 @@ groups:
- flag: "--insecure-allow-any-token" - flag: "--insecure-allow-any-token"
set: false set: false
remediation: | remediation: |
Edit the deployment specs and remove --insecure-allow-any-token . Edit the deployment specs and remove --insecure-allow-any-token.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.4 - id: 3.1.4
@ -59,9 +56,8 @@ groups:
- flag: "--insecure-bind-address" - flag: "--insecure-bind-address"
set: false set: false
remediation: | remediation: |
Edit the deployment specs and remove --insecure-bind-address . Edit the deployment specs and remove --insecure-bind-address.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.5 - id: 3.1.5
@ -75,9 +71,8 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --insecure-port=0 . Edit the deployment specs and set --insecure-port=0.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.6 - id: 3.1.6
@ -95,8 +90,7 @@ groups:
set: false set: false
remediation: | remediation: |
Edit the deployment specs and set the --secure-port argument to the desired port. Edit the deployment specs and set the --secure-port argument to the desired port.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.7 - id: 3.1.7
@ -110,9 +104,8 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--profiling=false" : Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
score: true score: true
- id: 3.1.8 - id: 3.1.8
@ -128,8 +121,7 @@ groups:
remediation: | remediation: |
Edit the deployment specs and set --admission-control argument to a value that does not Edit the deployment specs and set --admission-control argument to a value that does not
include AlwaysAdmit . include AlwaysAdmit .
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.9 - id: 3.1.9
@ -144,9 +136,8 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --admission-control argument to a value that includes Edit the deployment specs and set --admission-control argument to a value that includes
NamespaceLifecycle . NamespaceLifecycle.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.10 - id: 3.1.10
@ -172,8 +163,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate. Edit the deployment specs and set --audit-log-maxage to 30 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.12 - id: 3.1.12
@ -188,8 +178,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate. Edit the deployment specs and set --audit-log-maxbackup to 10 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.13 - id: 3.1.13
@ -204,8 +193,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate. Edit the deployment specs and set --audit-log-maxsize=100 to 100 or as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.14 - id: 3.1.14
@ -221,8 +209,7 @@ groups:
remediation: | remediation: |
Edit the deployment specs and set --authorization-mode argument to a value other than Edit the deployment specs and set --authorization-mode argument to a value other than
AlwaysAllow AlwaysAllow
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.15 - id: 3.1.15
@ -235,8 +222,7 @@ groups:
remediation: | remediation: |
Follow the documentation and configure alternate mechanisms for authentication. Then, Follow the documentation and configure alternate mechanisms for authentication. Then,
edit the deployment specs and remove the --token-auth-file=<filename> argument. edit the deployment specs and remove the --token-auth-file=<filename> argument.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.16 - id: 3.1.16
@ -251,8 +237,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--service-account-lookup=true" . Edit the deployment specs and set "--service-account-lookup=true" .
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.17 - id: 3.1.17
@ -264,8 +249,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set --service-account-key-file argument as appropriate. Edit the deployment specs and set --service-account-key-file argument as appropriate.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.18 - id: 3.1.18
@ -281,11 +265,10 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection between the Follow the Kubernetes documentation and set up the TLS connection between the
federation apiserver and etcd. Then, edit the deployment specs and set "--etcd- federation apiserver and etcd. Then, edit the deployment specs and set
certfile=<path/to/client-certificate-file>" and "--etcd- "--etcd-certfile=<path/to/client-certificate-file>" and
keyfile=<path/to/client-key-file>" arguments. "--etcd-keyfile=<path/to/client-key-file>" arguments.
kubectl edit deployments federation-apiserver-deployment -- kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true
- id: 3.1.19 - id: 3.1.19
@ -301,10 +284,10 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the federation Follow the Kubernetes documentation and set up the TLS connection on the federation
apiserver. Then, edit the deployment specs and set "--tls-cert-file=<path/to/tls- apiserver. Then, edit the deployment specs and set
certificate-file>" and "--tls-private-key-file=<path/to/tls-key-file>" : "--tls-cert-file=<path/to/tls-certificate-file>" and
kubectl edit deployments federation-apiserver-deployment -- "--tls-private-key-file=<path/to/tls-key-file>":
namespace=federation-system kubectl edit deployments federation-apiserver-deployment --namespace=federation-system
scored: true scored: true
- id: 3.2 - id: 3.2
@ -321,7 +304,6 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the deployment specs and set "--profiling=false" : Edit the deployment specs and set "--profiling=false":
kubectl edit deployments federation-controller-manager-deployment -- kubectl edit deployments federation-controller-manager-deployment --namespace=federation-system
namespace=federation-system
scored: true scored: true

View File

@ -163,7 +163,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that does not include AlwaysAdmit . value that does not include AlwaysAdmit.
scored: true scored: true
- id: 1.1.11 - id: 1.1.11
@ -179,7 +179,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include AlwaysPullImages . include AlwaysPullImages.
--admission-control=...,AlwaysPullImages,... --admission-control=...,AlwaysPullImages,...
scored: true scored: true
@ -196,7 +196,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes DenyEscalatingExec . value that includes DenyEscalatingExec.
--admission-control=...,DenyEscalatingExec,... --admission-control=...,DenyEscalatingExec,...
scored: true scored: true
@ -213,7 +213,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include SecurityContextDeny . include SecurityContextDeny.
--admission-control=...,SecurityContextDeny,... --admission-control=...,SecurityContextDeny,...
scored: true scored: true
@ -230,7 +230,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to on the master node and set the --admission-control parameter to
include NamespaceLifecycle . include NamespaceLifecycle.
--admission-control=...,NamespaceLifecycle,... --admission-control=...,NamespaceLifecycle,...
scored: true scored: true
@ -312,7 +312,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --authorization-mode parameter to on the master node and set the --authorization-mode parameter to
values other than AlwaysAllow . One such example could be as below. values other than AlwaysAllow. One such example could be as below.
--authorization-mode=RBAC --authorization-mode=RBAC
scored: true scored: true
@ -450,7 +450,7 @@ groups:
Follow the documentation and create ServiceAccount objects as per your environment. Follow the documentation and create ServiceAccount objects as per your environment.
Then, edit the API server pod specification file $apiserverpodspec Then, edit the API server pod specification file $apiserverpodspec
on the master node and set the --admission-control parameter to a on the master node and set the --admission-control parameter to a
value that includes ServiceAccount . value that includes ServiceAccount.
--admission-control=...,ServiceAccount,... --admission-control=...,ServiceAccount,...
scored: true scored: true
@ -516,7 +516,7 @@ groups:
remediation: | remediation: |
Edit the API server pod specification file $apiserverpodspec Edit the API server pod specification file $apiserverpodspec
on the master node and set the --authorization-mode parameter to a on the master node and set the --authorization-mode parameter to a
value that includes Node . value that includes Node.
--authorization-mode=Node,RBAC --authorization-mode=Node,RBAC
scored: true scored: true
@ -598,8 +598,7 @@ groups:
type: "manual" type: "manual"
remediation: | remediation: |
Follow the Kubernetes documentation and set the desired audit policy in the Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverpodspec
Then, edit the API server pod specification file $apiserverpodspec
and set the below parameters. and set the below parameters.
--audit-policy-file=/etc/kubernetes/audit-policy.yaml --audit-policy-file=/etc/kubernetes/audit-policy.yaml
scored: true scored: true
@ -646,8 +645,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverpodspec
on the master node and set the --terminated-pod-gc- on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
threshold to an appropriate threshold, for example:
--terminated-pod-gc-threshold=10 --terminated-pod-gc-threshold=10
scored: true scored: true
@ -707,7 +705,7 @@ groups:
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverpodspec Edit the Controller Manager pod specification file $apiserverpodspec
on the master node and set the --root-ca-file parameter to on the master node and set the --root-ca-file parameter to
the certificate bundle file`. the certificate bundle file.
--root-ca-file=<path/to/file> --root-ca-file=<path/to/file>
scored: true scored: true
@ -1124,7 +1122,7 @@ groups:
value: true value: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdpodspec on the master
node and either remove the --auto-tls parameter or set it to false . node and either remove the --auto-tls parameter or set it to false.
--auto-tls=false --auto-tls=false
scored: true scored: true
@ -1140,8 +1138,7 @@ groups:
set: true set: true
remediation: | remediation: |
Follow the etcd service documentation and configure peer TLS encryption as appropriate Follow the etcd service documentation and configure peer TLS encryption as appropriate
for your etcd cluster. for your etcd cluster. Then, edit the etcd pod specification file $etcdpodspec on the
Then, edit the etcd pod specification file $etcdpodspec on the
master node and set the below parameters. master node and set the below parameters.
--peer-client-file=</path/to/peer-cert-file> --peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file> --peer-key-file=</path/to/peer-key-file>
@ -1178,7 +1175,7 @@ groups:
set: true set: true
remediation: | remediation: |
Edit the etcd pod specification file $etcdpodspec on the master Edit the etcd pod specification file $etcdpodspec on the master
node and either remove the --peer-auto-tls parameter or set it to false . node and either remove the --peer-auto-tls parameter or set it to false.
--peer-auto-tls=false --peer-auto-tls=false
scored: true scored: true