1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 17:38:21 +00:00

Fix CIS-1.9 policies 5.1.1/5.1.5 typos (#1658)

* Fix CIS-1.9 policies 5.1.1 typo

* Fix typo CIS-1.9 5.1.5

* Add new lines to CIS-1.9
This commit is contained in:
Andy Pitcher 2024-09-29 23:54:45 -04:00 committed by GitHub
parent f6877e3c17
commit b85ec78a84
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 37 additions and 2 deletions

View File

@ -15,6 +15,7 @@ groups:
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
implemented in place of client certificates. implemented in place of client certificates.
scored: false scored: false
- id: 3.1.2 - id: 3.1.2
text: "Service account token authentication should not be used for users (Manual)" text: "Service account token authentication should not be used for users (Manual)"
type: "manual" type: "manual"
@ -22,6 +23,7 @@ groups:
Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented Alternative mechanisms provided by Kubernetes such as the use of OIDC should be implemented
in place of service account tokens. in place of service account tokens.
scored: false scored: false
- id: 3.1.3 - id: 3.1.3
text: "Bootstrap token authentication should not be used for users (Manual)" text: "Bootstrap token authentication should not be used for users (Manual)"
type: "manual" type: "manual"

View File

@ -18,7 +18,7 @@ groups:
else else
is_compliant="true" is_compliant="true"
fi; fi;
echo "**role_name: ${role_name} role_binding: ${rolebinding} subject: ${subject} is_compliant: ${is_compliant}" echo "**role_name: ${role_name} role_binding: ${role_binding} subject: ${subject} is_compliant: ${is_compliant}"
done done
use_multiple_values: true use_multiple_values: true
tests: tests:
@ -34,6 +34,7 @@ groups:
clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name]
Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin. Condition: is_compliant is false if rolename is not cluster-admin and rolebinding is cluster-admin.
scored: true scored: true
- id: 5.1.2 - id: 5.1.2
text: "Minimize access to secrets (Automated)" text: "Minimize access to secrets (Automated)"
audit: "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\"" audit: "echo \"canGetListWatchSecretsAsSystemAuthenticated: $(kubectl auth can-i get,list,watch secrets --all-namespaces --as=system:authenticated)\""
@ -46,6 +47,7 @@ groups:
remediation: | remediation: |
Where possible, remove get, list and watch access to Secret objects in the cluster. Where possible, remove get, list and watch access to Secret objects in the cluster.
scored: true scored: true
- id: 5.1.3 - id: 5.1.3
text: "Minimize wildcard use in Roles and ClusterRoles (Automated)" text: "Minimize wildcard use in Roles and ClusterRoles (Automated)"
audit: | audit: |
@ -92,6 +94,7 @@ groups:
Condition: role_is_compliant is false if ["*"] is found in rules. Condition: role_is_compliant is false if ["*"] is found in rules.
Condition: clusterrole_is_compliant is false if ["*"] is found in rules. Condition: clusterrole_is_compliant is false if ["*"] is found in rules.
scored: true scored: true
- id: 5.1.4 - id: 5.1.4
text: "Minimize access to create pods (Automated)" text: "Minimize access to create pods (Automated)"
audit: | audit: |
@ -106,7 +109,7 @@ groups:
Where possible, remove create access to pod objects in the cluster. Where possible, remove create access to pod objects in the cluster.
scored: true scored: true
- id: 5.1.5 - id: 5.1.5
text: "Ensure that default service accounts are not actively used. (Automated)" text: "Ensure that default service accounts are not actively used (Automated)"
audit: | audit: |
kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1 kubectl get serviceaccount --all-namespaces --field-selector metadata.name=default -o=json | jq -r '.items[] | " namespace: \(.metadata.namespace), kind: \(.kind), name: \(.metadata.name), automountServiceAccountToken: \(.automountServiceAccountToken | if . == null then "notset" else . end )"' | xargs -L 1
use_multiple_values: true use_multiple_values: true
@ -123,6 +126,7 @@ groups:
Modify the configuration of each default service account to include this value Modify the configuration of each default service account to include this value
`automountServiceAccountToken: false`. `automountServiceAccountToken: false`.
scored: true scored: true
- id: 5.1.6 - id: 5.1.6
text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)" text: "Ensure that Service Account Tokens are only mounted where necessary (Automated)"
audit: | audit: |
@ -155,48 +159,56 @@ groups:
- ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset - ServiceAccount is automountServiceAccountToken: false and Pod is automountServiceAccountToken: false or notset
- ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false - ServiceAccount is automountServiceAccountToken: true notset and Pod is automountServiceAccountToken: false
scored: true scored: true
- id: 5.1.7 - id: 5.1.7
text: "Avoid use of system:masters group (Manual)" text: "Avoid use of system:masters group (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Remove the system:masters group from all users in the cluster. Remove the system:masters group from all users in the cluster.
scored: false scored: false
- id: 5.1.8 - id: 5.1.8
text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)" text: "Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove the impersonate, bind and escalate rights from subjects. Where possible, remove the impersonate, bind and escalate rights from subjects.
scored: false scored: false
- id: 5.1.9 - id: 5.1.9
text: "Minimize access to create persistent volumes (Manual)" text: "Minimize access to create persistent volumes (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove create access to PersistentVolume objects in the cluster. Where possible, remove create access to PersistentVolume objects in the cluster.
scored: false scored: false
- id: 5.1.10 - id: 5.1.10
text: "Minimize access to the proxy sub-resource of nodes (Manual)" text: "Minimize access to the proxy sub-resource of nodes (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove access to the proxy sub-resource of node objects. Where possible, remove access to the proxy sub-resource of node objects.
scored: false scored: false
- id: 5.1.11 - id: 5.1.11
text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)" text: "Minimize access to the approval sub-resource of certificatesigningrequests objects (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove access to the approval sub-resource of certificatesigningrequest objects. Where possible, remove access to the approval sub-resource of certificatesigningrequest objects.
scored: false scored: false
- id: 5.1.12 - id: 5.1.12
text: "Minimize access to webhook configuration objects (Manual)" text: "Minimize access to webhook configuration objects (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects
scored: false scored: false
- id: 5.1.13 - id: 5.1.13
text: "Minimize access to the service account token creation (Manual)" text: "Minimize access to the service account token creation (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Where possible, remove access to the token sub-resource of serviceaccount objects. Where possible, remove access to the token sub-resource of serviceaccount objects.
scored: false scored: false
- id: 5.2 - id: 5.2
text: "Pod Security Standards" text: "Pod Security Standards"
checks: checks:
@ -207,6 +219,7 @@ groups:
Ensure that either Pod Security Admission or an external policy control system is in place Ensure that either Pod Security Admission or an external policy control system is in place
for every namespace which contains user workloads. for every namespace which contains user workloads.
scored: false scored: false
- id: 5.2.2 - id: 5.2.2
text: "Minimize the admission of privileged containers (Manual)" text: "Minimize the admission of privileged containers (Manual)"
type: "manual" type: "manual"
@ -214,6 +227,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of privileged containers. admission of privileged containers.
scored: false scored: false
- id: 5.2.3 - id: 5.2.3
text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)" text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
type: "manual" type: "manual"
@ -221,6 +235,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostPID` containers. admission of `hostPID` containers.
scored: false scored: false
- id: 5.2.4 - id: 5.2.4
text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)" text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
type: "manual" type: "manual"
@ -228,6 +243,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostIPC` containers. admission of `hostIPC` containers.
scored: false scored: false
- id: 5.2.5 - id: 5.2.5
text: "Minimize the admission of containers wishing to share the host network namespace (Manual)" text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
type: "manual" type: "manual"
@ -235,6 +251,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of `hostNetwork` containers. admission of `hostNetwork` containers.
scored: false scored: false
- id: 5.2.6 - id: 5.2.6
text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)" text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
type: "manual" type: "manual"
@ -242,6 +259,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `.spec.allowPrivilegeEscalation` set to `true`. admission of containers with `.spec.allowPrivilegeEscalation` set to `true`.
scored: false scored: false
- id: 5.2.7 - id: 5.2.7
text: "Minimize the admission of root containers (Manual)" text: "Minimize the admission of root containers (Manual)"
type: "manual" type: "manual"
@ -249,6 +267,7 @@ groups:
Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot` Create a policy for each namespace in the cluster, ensuring that either `MustRunAsNonRoot`
or `MustRunAs` with the range of UIDs not including 0, is set. or `MustRunAs` with the range of UIDs not including 0, is set.
scored: false scored: false
- id: 5.2.8 - id: 5.2.8
text: "Minimize the admission of containers with the NET_RAW capability (Manual)" text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
type: "manual" type: "manual"
@ -256,6 +275,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with the `NET_RAW` capability. admission of containers with the `NET_RAW` capability.
scored: false scored: false
- id: 5.2.9 - id: 5.2.9
text: "Minimize the admission of containers with added capabilities (Manual)" text: "Minimize the admission of containers with added capabilities (Manual)"
type: "manual" type: "manual"
@ -263,6 +283,7 @@ groups:
Ensure that `allowedCapabilities` is not present in policies for the cluster unless Ensure that `allowedCapabilities` is not present in policies for the cluster unless
it is set to an empty array. it is set to an empty array.
scored: false scored: false
- id: 5.2.10 - id: 5.2.10
text: "Minimize the admission of containers with capabilities assigned (Manual)" text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual" type: "manual"
@ -271,6 +292,7 @@ groups:
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false
- id: 5.2.11 - id: 5.2.11
text: "Minimize the admission of Windows HostProcess containers (Manual)" text: "Minimize the admission of Windows HostProcess containers (Manual)"
type: "manual" type: "manual"
@ -278,6 +300,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`. admission of containers that have `.securityContext.windowsOptions.hostProcess` set to `true`.
scored: false scored: false
- id: 5.2.12 - id: 5.2.12
text: "Minimize the admission of HostPath volumes (Manual)" text: "Minimize the admission of HostPath volumes (Manual)"
type: "manual" type: "manual"
@ -285,6 +308,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers with `hostPath` volumes. admission of containers with `hostPath` volumes.
scored: false scored: false
- id: 5.2.13 - id: 5.2.13
text: "Minimize the admission of containers which use HostPorts (Manual)" text: "Minimize the admission of containers which use HostPorts (Manual)"
type: "manual" type: "manual"
@ -292,6 +316,7 @@ groups:
Add policies to each namespace in the cluster which has user workloads to restrict the Add policies to each namespace in the cluster which has user workloads to restrict the
admission of containers which use `hostPort` sections. admission of containers which use `hostPort` sections.
scored: false scored: false
- id: 5.3 - id: 5.3
text: "Network Policies and CNI" text: "Network Policies and CNI"
checks: checks:
@ -303,12 +328,14 @@ groups:
making use of a different plugin, or finding an alternate mechanism for restricting traffic making use of a different plugin, or finding an alternate mechanism for restricting traffic
in the Kubernetes cluster. in the Kubernetes cluster.
scored: false scored: false
- id: 5.3.2 - id: 5.3.2
text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)" text: "Ensure that all Namespaces have NetworkPolicies defined (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Follow the documentation and create NetworkPolicy objects as you need them. Follow the documentation and create NetworkPolicy objects as you need them.
scored: false scored: false
- id: 5.4 - id: 5.4
text: "Secrets Management" text: "Secrets Management"
checks: checks:
@ -319,6 +346,7 @@ groups:
If possible, rewrite application code to read Secrets from mounted secret files, rather than If possible, rewrite application code to read Secrets from mounted secret files, rather than
from environment variables. from environment variables.
scored: false scored: false
- id: 5.4.2 - id: 5.4.2
text: "Consider external secret storage (Manual)" text: "Consider external secret storage (Manual)"
type: "manual" type: "manual"
@ -326,6 +354,7 @@ groups:
Refer to the Secrets management options offered by your cloud provider or a third-party Refer to the Secrets management options offered by your cloud provider or a third-party
secrets management solution. secrets management solution.
scored: false scored: false
- id: 5.5 - id: 5.5
text: "Extensible Admission Control" text: "Extensible Admission Control"
checks: checks:
@ -335,6 +364,7 @@ groups:
remediation: | remediation: |
Follow the Kubernetes documentation and setup image provenance. Follow the Kubernetes documentation and setup image provenance.
scored: false scored: false
- id: 5.7 - id: 5.7
text: "General Policies" text: "General Policies"
checks: checks:
@ -345,6 +375,7 @@ groups:
Follow the documentation and create namespaces for objects in your deployment as you need Follow the documentation and create namespaces for objects in your deployment as you need
them. them.
scored: false scored: false
- id: 5.7.2 - id: 5.7.2
text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)" text: "Ensure that the seccomp profile is set to docker/default in your Pod definitions (Manual)"
type: "manual" type: "manual"
@ -355,6 +386,7 @@ groups:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
scored: false scored: false
- id: 5.7.3 - id: 5.7.3
text: "Apply SecurityContext to your Pods and Containers (Manual)" text: "Apply SecurityContext to your Pods and Containers (Manual)"
type: "manual" type: "manual"
@ -363,6 +395,7 @@ groups:
suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker suggested list of SecurityContexts, you may refer to the CIS Security Benchmark for Docker
Containers. Containers.
scored: false scored: false
- id: 5.7.4 - id: 5.7.4
text: "The default namespace should not be used (Manual)" text: "The default namespace should not be used (Manual)"
type: "manual" type: "manual"