1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-21 06:08:06 +00:00

A few corrections to node tests. (#2)

* Add a few corrections.

* Add a few corrections to node test file.
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2018-10-13 19:48:50 +00:00 committed by Benji Visser
parent 934b4aef96
commit b1369832bc

View File

@ -38,8 +38,11 @@ groups:
value: false value: false
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set authentication: anonymous: enabled to
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. false .
If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--anonymous-auth=false --anonymous-auth=false
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -57,8 +60,10 @@ groups:
value: "AlwaysAllow" value: "AlwaysAllow"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. If using executable arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook --authorization-mode=Webhook
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -73,8 +78,11 @@ groups:
- flag: "--client-ca-file" - flag: "--client-ca-file"
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set authentication: x509: clientCAFile to
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable. the location of the client CA file.
If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_AUTHZ_ARGS variable.
--client-ca-file=<path/to/client-ca-file> --client-ca-file=<path/to/client-ca-file>
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -92,8 +100,10 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set readOnlyPort to 0 .
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0 --read-only-port=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -111,8 +121,11 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set streamingConnectionIdleTimeout to a
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. value other than 0.
If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--streaming-connection-idle-timeout=5m --streaming-connection-idle-timeout=5m
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -130,8 +143,10 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set protectKernelDefaults: true .
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true --protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -150,8 +165,10 @@ groups:
value: true value: true
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set makeIPTablesUtilChains: true .
on each worker node and remove the --make-iptables-util-chains argument from the If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
remove the --make-iptables-util-chains argument from the
KUBELET_SYSTEM_PODS_ARGS variable. KUBELET_SYSTEM_PODS_ARGS variable.
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -185,8 +202,10 @@ groups:
value: 0 value: 0
set: true set: true
remediation: | remediation: |
Edit the kubelet service file $kubeletconf If using a Kubelet config file, edit the file to set eventRecordQPS: 0 .
on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--event-qps=0 --event-qps=0
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
@ -197,19 +216,21 @@ groups:
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "--tls-cert-file" - flag: "--tls-cert-file"
set: true set: true
- flag: "--tls-private-key-file" - flag: "--tls-private-key-file"
set: true set: true
remediation: | remediation: |
Follow the Kubernetes documentation and set up the TLS connection on the Kubelet. If using a Kubelet config file, edit the file to set tlsCertFile to the location of the certificate
Then edit the kubelet service file /etc/systemd/system/kubelet.service.d/10- file to use to identify this Kubelet, and tlsPrivateKeyFile to the location of the
kubeadm.conf on each worker node and set the below parameters in corresponding private key file.
KUBELET_CERTIFICATE_ARGS variable. If using command line arguments, edit the kubelet service file
$kubeletconf on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file> --tls-cert-file=<path/to/tls-certificate-file>
file=<path/to/tls-key-file> file=<path/to/tls-key-file>
--tls-private-key-
Based on your system, restart the kubelet service. For example: Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
@ -219,12 +240,15 @@ groups:
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -ef | grep $kubeletbin | grep -v grep"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "--cadvisor-port" - flag: "--cadvisor-port"
compare: compare:
op: eq op: eq
value: 0 value: 0
set: true set: true
- flag: "--cadvisor-port"
set: false
remediation: | remediation: |
Edit the kubelet service file $kubeletconf Edit the kubelet service file $kubeletconf
on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable. on each worker node and set the below parameter in KUBELET_CADVISOR_ARGS variable.
@ -246,7 +270,9 @@ groups:
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to add the line rotateCertificates: true. If using a Kubelet config file, edit the file to add the line rotateCertificates: true.
If using command line arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable. Based on your system, restart the kubelet service. For example: If using command line arguments, edit the kubelet service file $kubeletconf
on each worker node and add --rotate-certificates=true argument to the KUBELET_CERTIFICATE_ARGS variable.
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: true scored: true
@ -282,7 +308,7 @@ groups:
set: true set: true
remediation: | remediation: |
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter. If using executable arguments, edit the kubelet service file $kubeletconf on each worker node and set the below parameter.
--tls-cipher- suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-cipher- suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
scored: false scored: false