1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 06:38:06 +00:00

Issue #421: Merges PR #422 with master (#523)

* Add kubeconfig location of kube-proxy for AKS

* Add job for AKS node

* Automate ca file permission check

* removed job-aks.yaml as other PRs added needed features

* fixed integration test due to merge changes
This commit is contained in:
Roberto Rojas 2019-11-27 10:30:29 -05:00 committed by Liz Rice
parent e2f61fad13
commit 9c6d4de860
6 changed files with 36 additions and 24 deletions

View File

@ -1215,7 +1215,7 @@ groups:
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
scored: true
@ -1243,7 +1243,7 @@ groups:
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
scored: true
@ -1260,7 +1260,7 @@ groups:
set: true
remediation: |
[Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
scored: true

View File

@ -464,8 +464,25 @@ groups:
- id: 2.2.7
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
type: manual
tests: {}
audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: |
Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>

View File

@ -135,7 +135,8 @@ node:
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml
- /var/snap/kube-proxy/current/args
kubeconfig:
- /etc/kubernetes/kubelet-kubeconfig
- "/etc/kubernetes/kubelet-kubeconfig"
- "/var/lib/kubelet/kubeconfig"
svc:
- "/lib/systemd/system/kube-proxy.service"
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

View File

@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
chown etcd:etcd /var/lib/etcd
1.4.19 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
1.4.20 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
1.4.21 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
1.5.1 Follow the etcd service documentation and configure TLS encryption.

View File

@ -21,7 +21,7 @@
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
node. For example,
chown root:root /etc/kubernetes/proxy.conf
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
== Summary ==
15 checks PASS
16 checks PASS
7 checks FAIL
1 checks WARN
0 checks WARN
1 checks INFO

View File

@ -304,15 +304,15 @@ Run the below command (based on the etcd data directory found above). For exampl
chown etcd:etcd /var/lib/etcd
1.4.19 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chown -R root:root /etc/kubernetes/pki/
1.4.20 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 644 /etc/kubernetes/pki/*.crt
1.4.21 [Manual test]
Run the below command (based on the file location on your system) on the master node.
Run the below command (based on the file location on your system) on the master node.
For example, chmod -R 600 /etc/kubernetes/pki/*.key
1.5.1 Follow the etcd service documentation and configure TLS encryption.
@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
node. For example,
chown root:root /etc/kubernetes/proxy.conf
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
== Summary ==
15 checks PASS
16 checks PASS
7 checks FAIL
1 checks WARN
0 checks WARN
1 checks INFO