1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00

Update new cis configurations

This commit is contained in:
Darius Mejeras 2023-11-20 15:11:59 +02:00
parent 53bc12229a
commit 865ce7cb54
8 changed files with 105 additions and 123 deletions

View File

@ -64,7 +64,7 @@ groups:
text: "Kubelet"
checks:
- id: 3.2.1
text: "Ensure that the --anonymous-auth argument is set to false (Manual)"
text: "Ensure that the --anonymous-auth argument is set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -84,10 +84,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.2
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Manual)"
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -106,10 +106,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.3
text: "Ensure that the --client-ca-file argument is set as appropriate (Manual)"
text: "Ensure that the --client-ca-file argument is set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -127,7 +127,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.4
text: "Ensure that the --read-only-port argument is set to 0 (Manual)"
@ -153,7 +153,7 @@ groups:
scored: false
- id: 3.2.5
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Manual)"
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -178,10 +178,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.6
text: "Ensure that the --make-iptables-util-chains argument is set to true (Manual) "
text: "Ensure that the --make-iptables-util-chains argument is set to true (Automated) "
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -205,7 +205,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.7
text: "Ensure that the --hostname-override argument is not set (Manual)"
@ -227,7 +227,7 @@ groups:
scored: false
- id: 3.2.8
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Manual)"
text: "Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -246,10 +246,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.9
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -274,7 +274,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.10
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"

View File

@ -60,74 +60,66 @@ groups:
scored: false
- id: 4.2
text: "Pod Security Policies"
text: "Pod Security Standards"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of privileged containers.
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostPID containers.
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostIPC containers.
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostNetwork containers.
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Automated)"
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
Create a policy for each namespace in the cluster,
ensuring that either MustRunAsNonRoot or MustRunAs
with the range of UIDs not including 0, is set.
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
Ensure that allowedCapabilities is not present in policies for the cluster unless
it is set to an empty array.
scored: false
- id: 4.2.9
- id: 4.2.8
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |

View File

@ -79,7 +79,7 @@ groups:
scored: false
- id: 5.3
text: "AWS Key Management Service (KMS)"
text: "AWS EKS Key Management Service (KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)"
@ -95,25 +95,25 @@ groups:
text: "Cluster Networking"
checks:
- id: 5.4.1
text: "Restrict Access to the Control Plane Endpoint (Manual)"
text: "Restrict Access to the Control Plane Endpoint (Automated)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.2
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.3
text: "Ensure clusters are created with Private Nodes (Manual)"
text: "Ensure clusters are created with Private Nodes (Automated)"
type: "manual"
remediation: "No remediation"
scored: false
- id: 5.4.4
text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
text: "Ensure Network Policy is Enabled and set as appropriate (Automated)"
type: "manual"
remediation: "No remediation"
scored: false

View File

@ -111,7 +111,7 @@ groups:
scored: true
- id: 3.2.3
text: "Ensure that a Client CA File is Configured (Manual)"
text: "Ensure that a Client CA File is Configured (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -129,7 +129,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.4
text: "Ensure that the --read-only-port is disabled (Manual)"
@ -248,7 +248,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.9
text: "Ensure that the --rotate-certificates argument is not present or is set to true (Manual)"
@ -279,7 +279,7 @@ groups:
scored: false
- id: 3.2.10
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Manual)"
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -297,7 +297,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.3
text: "Container Optimized OS"
checks:

View File

@ -74,62 +74,61 @@ groups:
scored: false
- id: 4.2
text: "Pod Security Policies"
text: "Pod Security Standards"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of privileged containers.
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostPID containers.
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostIPC containers.
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostNetwork containers.
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Automated)"
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
Create a policy for each namespace in the cluster, ensuring
that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
Ensure that allowedCapabilities is not present in policies for the cluster unless
it is set to an empty array.
scored: false
@ -138,8 +137,8 @@ groups:
type: "manual"
remediation: |
Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
contains applications which do not require any Linux capabilities to operate consider adding
a policy which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 4.3

View File

@ -10,7 +10,7 @@ groups:
checks:
- id: 5.1.1
text: "Ensure Image Vulnerability Scanning using GCR Container Analysis
or a third-party provider (Manual)"
or a third-party provider (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -102,7 +102,7 @@ groups:
checks:
- id: 5.2.1
text: "Ensure GKE clusters are not running using the Compute Engine
default service account (Manual)"
default service account (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -165,7 +165,7 @@ groups:
text: "Cloud Key Management Service (Cloud KMS)"
checks:
- id: 5.3.1
text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Manual)"
text: "Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -256,7 +256,7 @@ groups:
text: "Node Configuration and Maintenance"
checks:
- id: 5.5.1
text: "Ensure Container-Optimized OS (COS) is used for GKE node images (Automated)"
text: "Ensure Container-Optimized OS (cos_containerd) is used for GKE node images (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -382,7 +382,7 @@ groups:
scored: false
- id: 5.6.3
text: "Ensure Master Authorized Networks is Enabled (Manual)"
text: "Ensure Master Authorized Networks is Enabled (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -406,7 +406,7 @@ groups:
scored: false
- id: 5.6.4
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)"
type: "manual"
remediation: |
Using Command Line:
@ -421,7 +421,7 @@ groups:
scored: false
- id: 5.6.5
text: "Ensure clusters are created with Private Nodes (Manual)"
text: "Ensure clusters are created with Private Nodes (Automated)"
type: "manual"
remediation: |
Using Command Line:

View File

@ -241,7 +241,7 @@ groups:
scored: true
- id: 3.2.9
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Manual)"
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -262,10 +262,10 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.10
text: "Ensure that the --rotate-certificates argument is not set to false (Manual)"
text: "Ensure that the --rotate-certificates argument is not set to false (Automated)"
audit: "/bin/ps -fC $kubeletbin"
audit_config: "/bin/cat $kubeletconf"
tests:
@ -289,7 +289,7 @@ groups:
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
scored: false
scored: true
- id: 3.2.11
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)"

View File

@ -60,80 +60,71 @@ groups:
scored: false
- id: 4.2
text: "Pod Security Policies"
text: "Pod Security Standards"
checks:
- id: 4.2.1
text: "Minimize the admission of privileged containers (Automated)"
text: "Minimize the admission of privileged containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that
the .spec.privileged field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of privileged containers.
scored: false
- id: 4.2.2
text: "Minimize the admission of containers wishing to share the host process ID namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostPID field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostPID containers.
scored: false
- id: 4.2.3
text: "Minimize the admission of containers wishing to share the host IPC namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostIPC field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostIPC containers.
scored: false
- id: 4.2.4
text: "Minimize the admission of containers wishing to share the host network namespace (Automated)"
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.hostNetwork field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of hostNetwork containers.
scored: false
- id: 4.2.5
text: "Minimize the admission of containers with allowPrivilegeEscalation (Automated)"
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.allowPrivilegeEscalation field is omitted or set to false.
Add policies to each namespace in the cluster which has user workloads
to restrict the admission of containers with .spec.allowPrivilegeEscalation set to true.
scored: false
- id: 4.2.6
text: "Minimize the admission of root containers (Automated)"
text: "Minimize the admission of root containers (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
UIDs not including 0.
Create a policy for each namespace in the cluster,
ensuring that either MustRunAsNonRoot or MustRunAs with the range of UIDs not including 0, is set.
scored: false
- id: 4.2.7
text: "Minimize the admission of containers with the NET_RAW capability (Automated)"
text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual"
remediation: |
Create a PSP as described in the Kubernetes documentation, ensuring that the
.spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
scored: false
- id: 4.2.8
text: "Minimize the admission of containers with added capabilities (Automated)"
type: "manual"
remediation: |
Ensure that allowedCapabilities is not present in PSPs for the cluster unless
Ensure that allowedCapabilities is not present in policies for the cluster unless
it is set to an empty array.
scored: false
- id: 4.2.9
- id: 4.2.8
text: "Minimize the admission of containers with capabilities assigned (Manual) "
type: "manual"
remediation: |
Review the use of capabilites in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
Review the use of capabilities in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabilities to operate consider adding
a policy which forbids the admission of containers which do not drop all capabilities.
scored: false
- id: 4.3