1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-26 01:49:28 +00:00

Add master node manual check definitions.

This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2017-08-06 16:12:47 +00:00 committed by Liz Rice
parent 09ca739dc0
commit c39516581b

View File

@ -479,19 +479,14 @@ groups:
parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\"" parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
scored: true scored: true
# TODO: provide flag to WARN of manual tasks which we can't automate.
- id: 1.1.35 - id: 1.1.35
text: "Ensure that the encryption provider is set to aescbc (Scored)" text: "Ensure that the encryption provider is set to aescbc (Scored)"
audit: "ps -ef | grep $apiserverbin | grep -v grep" audit: "ps -ef | grep $apiserverbin | grep -v grep"
tests: type: "manual"
test_items:
- flag: "requires manual intervention"
set: true
remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
choose aescbc as the encryption provider" choose aescbc as the encryption provider"
scored: true scored: true
- id: 1.2 - id: 1.2
text: "Scheduler" text: "Scheduler"
checks: checks:
@ -573,7 +568,13 @@ groups:
KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>" KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
scored: true scored: true
# TODO: 1.3.6 is manual, provide way to WARN - id: 1.3.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include
\"--feature-gates=RotateKubeletServerCertificate=true\""
scored: false
- id: 1.3.7 - id: 1.3.7
text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@ -717,6 +718,20 @@ groups:
chmod 700 /var/lib/etcd/default.etcd" chmod 700 /var/lib/etcd/default.etcd"
scored: true scored: true
- id: 1.4.12
text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
tests:
test_items:
- flag: "etcd:etcd"
set: true
remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
from the below command:\n
ps -ef | grep etcd\n
Run the below command (based on the etcd data directory found above). For example,\n
chown etcd:etcd /var/lib/etcd/default.etcd"
scored: true
- id: 1.5 - id: 1.5
text: "etcd" text: "etcd"
checks: checks:
@ -859,3 +874,65 @@ groups:
remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the
etcd service." etcd service."
scored: false scored: false
- id: 1.6
text: "General Security Primitives"
checks:
- id: 1.6.1
text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
type: "manual"
remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
scored: false
- id: 1.6.2
text: "Create Pod Security Policies for your cluster (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
suggested Pod Security Policies for your environment."
scored: false
- id: 1.6.3
text: "Create administrative boundaries between resources using namespaces (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create namespaces for objects in your deployment as you
need them."
scored: false
- id: 1.6.4
text: "Create network segmentation using Network Policies (Not Scored)"
type: "manual"
remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
scored: false
- id: 1.6.5
text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
type: "manual"
remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
would need to enable alpha features in the apiserver by passing \"--feature-
gates=AllAlpha=true\" argument.\n
Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
parameter to \"--feature-gates=AllAlpha=true\"
KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
scored: false
- id: 1.6.6
text: "Apply Security Context to Your Pods and Containers (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
Containers."
scored: false
- id: 1.6.7
text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup image provenance."
scored: false
- id: 1.6.8
text: "Configure Network policies as appropriate (Not Scored)"
type: "manual"
remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
scored: false