mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-22 06:38:06 +00:00
* Add kubeconfig location of kube-proxy for AKS * Add job for AKS node * Automate ca file permission check * removed job-aks.yaml as other PRs added needed features * fixed integration test due to merge changes
This commit is contained in:
parent
e2f61fad13
commit
9c6d4de860
@ -1215,7 +1215,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
scored: true
|
||||
|
||||
@ -1243,7 +1243,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
scored: true
|
||||
|
||||
@ -1260,7 +1260,7 @@ groups:
|
||||
set: true
|
||||
remediation: |
|
||||
[Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
scored: true
|
||||
|
||||
|
@ -464,8 +464,25 @@ groups:
|
||||
|
||||
- id: 2.2.7
|
||||
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
type: manual
|
||||
tests: {}
|
||||
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "644"
|
||||
compare:
|
||||
op: eq
|
||||
value: "644"
|
||||
set: true
|
||||
- flag: "640"
|
||||
compare:
|
||||
op: eq
|
||||
value: "640"
|
||||
set: true
|
||||
- flag: "600"
|
||||
compare:
|
||||
op: eq
|
||||
value: "600"
|
||||
set: true
|
||||
remediation: |
|
||||
Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
@ -135,7 +135,8 @@ node:
|
||||
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||
- /var/snap/kube-proxy/current/args
|
||||
kubeconfig:
|
||||
- /etc/kubernetes/kubelet-kubeconfig
|
||||
- "/etc/kubernetes/kubelet-kubeconfig"
|
||||
- "/var/lib/kubelet/kubeconfig"
|
||||
svc:
|
||||
- "/lib/systemd/system/kube-proxy.service"
|
||||
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
||||
|
6
integration/testdata/job-master.data
vendored
6
integration/testdata/job-master.data
vendored
@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
|
||||
chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.4.19 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.4.20 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.4.21 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.5.1 Follow the etcd service documentation and configure TLS encryption.
|
||||
|
9
integration/testdata/job-node.data
vendored
9
integration/testdata/job-node.data
vendored
@ -21,7 +21,7 @@
|
||||
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
node. For example,
|
||||
chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
7 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks WARN
|
||||
1 checks INFO
|
15
integration/testdata/job.data
vendored
15
integration/testdata/job.data
vendored
@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
|
||||
chown etcd:etcd /var/lib/etcd
|
||||
|
||||
1.4.19 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chown -R root:root /etc/kubernetes/pki/
|
||||
|
||||
1.4.20 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
|
||||
|
||||
1.4.21 [Manual test]
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
Run the below command (based on the file location on your system) on the master node.
|
||||
For example, chmod -R 600 /etc/kubernetes/pki/*.key
|
||||
|
||||
1.5.1 Follow the etcd service documentation and configure TLS encryption.
|
||||
@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
|
||||
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
|
||||
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
|
||||
@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
|
||||
node. For example,
|
||||
chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
|
||||
chmod 644 <filename>
|
||||
|
||||
|
||||
== Summary ==
|
||||
15 checks PASS
|
||||
16 checks PASS
|
||||
7 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks WARN
|
||||
1 checks INFO
|
Loading…
Reference in New Issue
Block a user