mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-27 02:18:16 +00:00
Improve Proxykubeconfig tests (#708)
* Changes for 1.5 * Update cis-1.3 through 1.6 to also work with configmaps. * Switch on if proxykubeconfig is set, instead of setting a variable in the script. * permissons -> proxykubeconfig for 2.2.5/4.1.3 to keep these tests locked with 2.2.6/4.1.4 * Updating test output? Maybe? * Copy integration test output files into docker image? * Make entrypoint move integration folder to host, print 1.5 node info. * Change the order of tests in travis to load files before testing. * Return tests to place Those tests comes first since there is more likely to fail with them and then the test will fail "faster" which will save time * Remove copy integration When running in a container we don't need to test, only when build and running in Travis to make sure everything is working fine. * Add $ mark before proxykubeconfig If not having $ before the parameter then it won't get substituted * Add $ mark before proxykubeconfig If not having $ before the parameter then it won't get substituted * Remove test relate lines We don't test while running, only integration testing when building and unit testing * Add spaces * Change 4.1.3 4.1.4 Those tests now should pass. * Change tests 4.1.3 and 4.1.4 Those tests now should PASS * Update job.data with more accurate counts. Thanks to @yoavrotems for getting the project this far! * Thanks for linting, yamllint! Co-authored-by: Yoav Rotem <yoavrotems97@gmail.com>
This commit is contained in:
parent
714430c7fc
commit
a7aa21f32c
@ -41,12 +41,15 @@ groups:
|
||||
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
set: true
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -57,9 +60,12 @@ groups:
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
set: true
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -39,11 +39,15 @@ groups:
|
||||
text: "If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c permissions=%a $proxykubeconfig; fi'' '
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: "permissions"
|
||||
set: true
|
||||
compare:
|
||||
op: bitmask
|
||||
value: "644"
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
@ -54,8 +58,11 @@ groups:
|
||||
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)"
|
||||
audit: '/bin/sh -c ''if test -e $proxykubeconfig; then stat -c %U:%G $proxykubeconfig; fi'' '
|
||||
tests:
|
||||
bin_op: or
|
||||
test_items:
|
||||
- flag: root:root
|
||||
- flag: "$proxykubeconfig"
|
||||
set: false
|
||||
remediation: |
|
||||
Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root $proxykubeconfig
|
||||
|
@ -1,3 +1,4 @@
|
||||
---
|
||||
coverage:
|
||||
status:
|
||||
project:
|
||||
|
15
integration/testdata/cis-1.5/job-node.data
vendored
15
integration/testdata/cis-1.5/job-node.data
vendored
@ -2,8 +2,8 @@
|
||||
[INFO] 4.1 Worker Node Configuration Files
|
||||
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
@ -26,13 +26,6 @@
|
||||
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||
|
||||
== Remediations ==
|
||||
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -71,7 +64,7 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
17 checks PASS
|
||||
5 checks FAIL
|
||||
19 checks PASS
|
||||
3 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks INFO
|
||||
|
15
integration/testdata/cis-1.5/job.data
vendored
15
integration/testdata/cis-1.5/job.data
vendored
@ -215,8 +215,8 @@ minimum.
|
||||
[INFO] 4.1 Worker Node Configuration Files
|
||||
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Scored)
|
||||
[FAIL] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[FAIL] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)
|
||||
[PASS] 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Scored)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)
|
||||
@ -239,13 +239,6 @@ minimum.
|
||||
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)
|
||||
|
||||
== Remediations ==
|
||||
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -284,8 +277,8 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
17 checks PASS
|
||||
5 checks FAIL
|
||||
19 checks PASS
|
||||
3 checks FAIL
|
||||
1 checks WARN
|
||||
0 checks INFO
|
||||
[INFO] 5 Kubernetes Policies
|
||||
|
15
integration/testdata/cis-1.6/job-node.data
vendored
15
integration/testdata/cis-1.6/job-node.data
vendored
@ -2,8 +2,8 @@
|
||||
[INFO] 4.1 Worker Node Configuration Files
|
||||
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
|
||||
[WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[WARN] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
|
||||
@ -26,13 +26,6 @@
|
||||
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
|
||||
|
||||
== Remediations ==
|
||||
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -71,7 +64,7 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
17 checks PASS
|
||||
19 checks PASS
|
||||
1 checks FAIL
|
||||
5 checks WARN
|
||||
3 checks WARN
|
||||
0 checks INFO
|
||||
|
15
integration/testdata/cis-1.6/job.data
vendored
15
integration/testdata/cis-1.6/job.data
vendored
@ -222,8 +222,8 @@ minimum.
|
||||
[INFO] 4.1 Worker Node Configuration Files
|
||||
[PASS] 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)
|
||||
[WARN] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[WARN] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.3 If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
|
||||
[PASS] 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.5 Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automated)
|
||||
[PASS] 4.1.6 Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Manual)
|
||||
[PASS] 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Manual)
|
||||
@ -246,13 +246,6 @@ minimum.
|
||||
[PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)
|
||||
|
||||
== Remediations ==
|
||||
4.1.3 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example,
|
||||
chmod 644 /etc/kubernetes/proxy.conf
|
||||
|
||||
4.1.4 Run the below command (based on the file location on your system) on the each worker node.
|
||||
For example, chown root:root /etc/kubernetes/proxy.conf
|
||||
|
||||
4.2.6 If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
|
||||
If using command line arguments, edit the kubelet service file
|
||||
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
|
||||
@ -291,9 +284,9 @@ systemctl restart kubelet.service
|
||||
|
||||
|
||||
== Summary ==
|
||||
17 checks PASS
|
||||
19 checks PASS
|
||||
1 checks FAIL
|
||||
5 checks WARN
|
||||
3 checks WARN
|
||||
0 checks INFO
|
||||
[INFO] 5 Kubernetes Policies
|
||||
[INFO] 5.1 RBAC and Service Accounts
|
||||
|
Loading…
Reference in New Issue
Block a user