1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-22 14:48:07 +00:00

Issue #421: Merges PR #422 with master (#523)

* Add kubeconfig location of kube-proxy for AKS

* Add job for AKS node

* Automate ca file permission check

* removed job-aks.yaml as other PRs added needed features

* fixed integration test due to merge changes
This commit is contained in:
Roberto Rojas 2019-11-27 10:30:29 -05:00 committed by Liz Rice
parent e2f61fad13
commit 9c6d4de860
6 changed files with 36 additions and 24 deletions

View File

@ -464,8 +464,25 @@ groups:
- id: 2.2.7 - id: 2.2.7
text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) text: Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
type: manual audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %a $kubeletcafile; fi'"
tests: {} tests:
bin_op: or
test_items:
- flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "640"
compare:
op: eq
value: "640"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: | remediation: |
Run the following command to modify the file permissions of the --client-ca-file Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename> chmod 644 <filename>

View File

@ -135,7 +135,8 @@ node:
- /etc/kubernetes/addons/kube-proxy-daemonset.yaml - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
- /var/snap/kube-proxy/current/args - /var/snap/kube-proxy/current/args
kubeconfig: kubeconfig:
- /etc/kubernetes/kubelet-kubeconfig - "/etc/kubernetes/kubelet-kubeconfig"
- "/var/lib/kubelet/kubeconfig"
svc: svc:
- "/lib/systemd/system/kube-proxy.service" - "/lib/systemd/system/kube-proxy.service"
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml

View File

@ -21,7 +21,7 @@
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored) [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@ -81,12 +81,9 @@ chmod 644 /etc/kubernetes/proxy.conf
node. For example, node. For example,
chown root:root /etc/kubernetes/proxy.conf chown root:root /etc/kubernetes/proxy.conf
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
== Summary == == Summary ==
15 checks PASS 16 checks PASS
7 checks FAIL 7 checks FAIL
1 checks WARN 0 checks WARN
1 checks INFO 1 checks INFO

View File

@ -447,7 +447,7 @@ Create a PSP as described in the Kubernetes documentation, ensuring that the .sp
[PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored) [PASS] 2.2.4 Ensure that the kubelet service file ownership is set to root:root (Scored)
[FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) [FAIL] 2.2.5 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
[FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) [FAIL] 2.2.6 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
[WARN] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored) [PASS] 2.2.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
[PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored) [PASS] 2.2.8 Ensure that the client certificate authorities file ownership is set to root:root (Scored)
[PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored) [PASS] 2.2.9 Ensure that the kubelet configuration file ownership is set to root:root (Scored)
[PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) [PASS] 2.2.10 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored)
@ -507,12 +507,9 @@ chmod 644 /etc/kubernetes/proxy.conf
node. For example, node. For example,
chown root:root /etc/kubernetes/proxy.conf chown root:root /etc/kubernetes/proxy.conf
2.2.7 Run the following command to modify the file permissions of the --client-ca-file
chmod 644 <filename>
== Summary == == Summary ==
15 checks PASS 16 checks PASS
7 checks FAIL 7 checks FAIL
1 checks WARN 0 checks WARN
1 checks INFO 1 checks INFO