arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2025-06-22 16:09:03 +00:00
Code Issues Releases Wiki Activity

FIXING RKE-2-CIS-1.24 Checks (#1688)

Browse Source 
MASTER:
          Checks 1.1.10,1.1.20 are manual 
NODE:
            a. Check 4.2.12 is the node-level equivalent of the master-level check 1.3.6 and is treated the same way.
This commit is contained in:
Saurabh Misra 2024-09-24 11:26:58 +05:30 committed by GitHub
parent 5a3fd1d896
commit c533d68bad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cfg/rke2-cis-1.24/master.yaml
View File

@ -148,12 +148,18 @@ groups:
- id: 1.1.10 - id: 1.1.10
text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)" text: "Ensure that the Container Network Interface file ownership is set to root:root (Manual)"
audit: | audit: |
ps -fC ${kubeletbin:-kubelet} | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G '/bin/sh -c "if [[ -e /etc/cni/net.d ]]; then
ps -fC "${kubeletbin:-kubelet}" | grep -- --cni-conf-dir || echo "/etc/cni/net.d" | sed 's%.*cni-conf-dir[= ]\([^ ]*\).*%\1%' | xargs -I{} find {} -mindepth 1 | xargs --no-run-if-empty stat -c %U:%G
find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G find /var/lib/cni/networks -type f 2> /dev/null | xargs --no-run-if-empty stat -c %U:%G
else
echo "File not found"
fi'
use_multiple_values: true use_multiple_values: true
tests: tests:
bin_op: or
test_items: test_items:
- flag: "root:root" - flag: "root:root"
- flag: "File not found"
remediation: | remediation: |
Run the below command (based on the file location on your system) on the control plane node. Run the below command (based on the file location on your system) on the control plane node.
For example, For example,
@ -321,11 +327,18 @@ groups:
- id: 1.1.21 - id: 1.1.21
text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)" text: "Ensure that the Kubernetes PKI key file permissions are set to 600 (Manual)"
audit: "stat -c permissions=%a /var/lib/rancher/rke2/server/tls/*.key" audit: |
'/bin/sh -c if test -e "/var/lib/rancher/rke2/server/tls/*.key"; then
stat -c "%a" "/var/lib/rancher/rke2/server/tls/*.key"
else
echo "File not found"
fi'
use_multiple_values: true use_multiple_values: true
tests: tests:
bin_op: or
test_items: test_items:
- flag: "permissions" - flag: "permissions"
- flag: "File not found"
compare: compare:
op: eq op: eq
value: "600" value: "600"
@ -979,7 +992,7 @@ groups:
Edit the Controller Manager pod specification file $controllermanagerconf Edit the Controller Manager pod specification file $controllermanagerconf
on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true. on the control plane node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true --feature-gates=RotateKubeletServerCertificate=true
scored: true scored: false
type: skip type: skip
- id: 1.3.7 - id: 1.3.7

2
cfg/rke2-cis-1.24/node.yaml
View File

@ -440,7 +440,7 @@ groups:
systemctl daemon-reload systemctl daemon-reload
systemctl restart kubelet.service systemctl restart kubelet.service
scored: false scored: false
type: skip
- id: 4.2.13 - id: 4.2.13
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)"
audit: "/bin/ps -fC $kubeletbin" audit: "/bin/ps -fC $kubeletbin"