arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-02-21 12:02:30 +00:00
Code Issues Releases Wiki Activity

Add a few corrections. (#1)

Browse Source
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2018-10-12 14:22:08 +00:00 committed by Benji Visser
parent e85de9e8af
commit 934b4aef96
1 changed files with 35 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
cfg/1.11/master.yaml
View File

@ -22,7 +22,6 @@ groups:
Edit the API server pod specification file $apiserverconf Edit the API server pod specification file $apiserverconf
on the master node and set the below parameter. on the master node and set the below parameter.
--anonymous-auth=false --anonymous-auth=false
scored: true scored: true
- id: 1.1.2 - id: 1.1.2
@ -607,7 +606,16 @@ groups:
- id: 1.1.37 - id: 1.1.37
text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)" text: "Ensure that the AdvancedAuditing argument is not set to false (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
type: "manual" tests:
bin_op: and
test_items:
- flag: "--feature-gates"
compare:
op: nothave
value: "AdvancedAuditing=false"
set: true
- flag: "--audit-policy-file"
set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set the desired audit policy in the Follow the Kubernetes documentation and set the desired audit policy in the
/etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf /etc/kubernetes/audit-policy.yaml file. Then, edit the API server pod specification file $apiserverconf
@ -619,11 +627,11 @@ groups:
text: "Ensure that the --request-timeout argument is set as appropriate (Scored)" text: "Ensure that the --request-timeout argument is set as appropriate (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--request-timeout" - flag: "--request-timeout"
compare: set: false
op: eq - flag: "--request-timeout"
value: "300s"
set: true set: true
remediation: | remediation: |
Edit the API server pod specification file $apiserverconf Edit the API server pod specification file $apiserverconf
@ -670,12 +678,15 @@ groups:
text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)" text: "Ensure that the --address argument is set to 127.0.0.1 (Scored)"
audit: "ps -ef | grep $schedulerbin | grep -v grep" audit: "ps -ef | grep $schedulerbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--address" - flag: "--address"
compare: compare:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "--address"
set: false
remediation: | remediation: |
Edit the Scheduler pod specification file $schedulerconf Edit the Scheduler pod specification file $schedulerconf
file on the master node and ensure the correct value for the file on the master node and ensure the correct value for the
@ -690,8 +701,8 @@ groups:
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "--terminated-pod-gc-threshold" - flag: "--terminated-pod-gc-threshold"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example: on the master node and set the --terminated-pod-gc-threshold to an appropriate threshold, for example:
@ -709,7 +720,7 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the below parameter. on the master node and set the below parameter.
--profiling=false --profiling=false
scored: true scored: true
@ -725,7 +736,7 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node to set the below parameter. on the master node to set the below parameter.
--use-service-account-credentials=true --use-service-account-credentials=true
scored: true scored: true
@ -738,7 +749,7 @@ groups:
- flag: "--service-account-private-key-file" - flag: "--service-account-private-key-file"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --service-account-private- on the master node and set the --service-account-private-
key-file parameter to the private key file for service accounts. key-file parameter to the private key file for service accounts.
--service-account-private-key-file=<filename> --service-account-private-key-file=<filename>
@ -752,7 +763,7 @@ groups:
- flag: "--root-ca-file" - flag: "--root-ca-file"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
on the master node and set the --root-ca-file parameter to on the master node and set the --root-ca-file parameter to
the certificate bundle file. the certificate bundle file.
--root-ca-file=<path/to/file> --root-ca-file=<path/to/file>
@ -763,13 +774,13 @@ groups:
audit: "ps -ef | grep $controllermanagerbin | grep -v grep" audit: "ps -ef | grep $controllermanagerbin | grep -v grep"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: "--feature-gates"
compare: compare:
op: eq op: eq
value: true value: "RotateKubeletServerCertificate=true"
set: true set: true
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
controller-manager.yaml on the master node and set the --feature-gates parameter to controller-manager.yaml on the master node and set the --feature-gates parameter to
include RotateKubeletServerCertificate=true. include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
@ -785,8 +796,10 @@ groups:
op: eq op: eq
value: "127.0.0.1" value: "127.0.0.1"
set: true set: true
- flag: "--address"
set: false
remediation: | remediation: |
Edit the Controller Manager pod specification file $apiserverconf Edit the Controller Manager pod specification file $controllermanagerconf
controller-manager.yaml on the master node and ensure the correct value controller-manager.yaml on the master node and ensure the correct value
for the --address parameter. for the --address parameter.
scored: true scored: true
@ -1203,8 +1216,8 @@ groups:
set: false set: false
- flag: "--auto-tls" - flag: "--auto-tls"
compare: compare:
op: neq op: eq
value: true value: false
remediation: | remediation: |
Edit the etcd pod specification file $etcdconf on the master Edit the etcd pod specification file $etcdconf on the master
node and either remove the --auto-tls parameter or set it to false. node and either remove the --auto-tls parameter or set it to false.
@ -1215,7 +1228,9 @@ groups:
text: "Ensure that the --peer-cert-file and --peer-key-file arguments are text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
set as appropriate (Scored)" set as appropriate (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "--peer-cert-file" - flag: "--peer-cert-file"
set: true set: true
@ -1232,6 +1247,7 @@ groups:
- id: 1.5.5 - id: 1.5.5
text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)" text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests: tests:
test_items: test_items:
- flag: "--peer-client-cert-auth" - flag: "--peer-client-cert-auth"
@ -1248,6 +1264,7 @@ groups:
- id: 1.5.6 - id: 1.5.6
text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)" text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -1267,6 +1284,7 @@ groups:
- id: 1.5.7 - id: 1.5.7
text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep" audit: "ps -ef | grep $etcdbin | grep -v grep"
type: "manual"
tests: tests:
test_items: test_items:
- flag: "--trusted-ca-file" - flag: "--trusted-ca-file"