1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-26 16:38:09 +00:00

Only find flags on the process we really want

This commit is contained in:
Liz Rice 2019-02-28 01:33:21 +08:00
parent 2d4c7e8b42
commit d712db47a2
No known key found for this signature in database
GPG Key ID: 837476CA214296CB
2 changed files with 30 additions and 30 deletions

View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--allow-privileged" - flag: "--allow-privileged"
@ -29,7 +29,7 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -51,7 +51,7 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -72,7 +72,7 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
@ -91,7 +91,7 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
@ -112,7 +112,7 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: "--streaming-connection-idle-timeout"
@ -134,7 +134,7 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: "--protect-kernel-defaults"
@ -155,7 +155,7 @@ groups:
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -179,7 +179,7 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: "--hostname-override"
@ -195,7 +195,7 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: "--event-qps"
@ -216,7 +216,7 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -240,7 +240,7 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -262,7 +262,7 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --rotate-certificates argument is not set to false (Scored)" text: "Ensure that the --rotate-certificates argument is not set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--rotate-certificates" - flag: "--rotate-certificates"
@ -281,7 +281,7 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)" text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: "RotateKubeletServerCertificate"
@ -300,7 +300,7 @@ groups:
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)" text: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--tls-cipher-suites" - flag: "--tls-cipher-suites"

View File

@ -10,7 +10,7 @@ groups:
checks: checks:
- id: 2.1.1 - id: 2.1.1
text: "Ensure that the --allow-privileged argument is set to false (Scored)" text: "Ensure that the --allow-privileged argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--allow-privileged" - flag: "--allow-privileged"
@ -29,7 +29,7 @@ groups:
- id: 2.1.2 - id: 2.1.2
text: "Ensure that the --anonymous-auth argument is set to false (Scored)" text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--anonymous-auth" - flag: "--anonymous-auth"
@ -48,7 +48,7 @@ groups:
- id: 2.1.3 - id: 2.1.3
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)" text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--authorization-mode" - flag: "--authorization-mode"
@ -67,7 +67,7 @@ groups:
- id: 2.1.4 - id: 2.1.4
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)" text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--client-ca-file" - flag: "--client-ca-file"
@ -83,7 +83,7 @@ groups:
- id: 2.1.5 - id: 2.1.5
text: "Ensure that the --read-only-port argument is set to 0 (Scored)" text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--read-only-port" - flag: "--read-only-port"
@ -102,7 +102,7 @@ groups:
- id: 2.1.6 - id: 2.1.6
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)" text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--streaming-connection-idle-timeout" - flag: "--streaming-connection-idle-timeout"
@ -121,7 +121,7 @@ groups:
- id: 2.1.7 - id: 2.1.7
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)" text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--protect-kernel-defaults" - flag: "--protect-kernel-defaults"
@ -140,7 +140,7 @@ groups:
- id: 2.1.8 - id: 2.1.8
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)" text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
bin_op: or bin_op: or
test_items: test_items:
@ -160,7 +160,7 @@ groups:
- id: 2.1.9 - id: 2.1.9
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)" text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--keep-terminated-pod-volumes" - flag: "--keep-terminated-pod-volumes"
@ -179,7 +179,7 @@ groups:
- id: 2.1.10 - id: 2.1.10
text: "Ensure that the --hostname-override argument is not set (Scored)" text: "Ensure that the --hostname-override argument is not set (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--hostname-override" - flag: "--hostname-override"
@ -195,7 +195,7 @@ groups:
- id: 2.1.11 - id: 2.1.11
text: "Ensure that the --event-qps argument is set to 0 (Scored)" text: "Ensure that the --event-qps argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--event-qps" - flag: "--event-qps"
@ -214,7 +214,7 @@ groups:
- id: 2.1.12 - id: 2.1.12
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)" text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--tls-cert-file" - flag: "--tls-cert-file"
@ -236,7 +236,7 @@ groups:
- id: 2.1.13 - id: 2.1.13
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)" text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "--cadvisor-port" - flag: "--cadvisor-port"
@ -255,7 +255,7 @@ groups:
- id: 2.1.14 - id: 2.1.14
text: "Ensure that the RotateKubeletClientCertificate argument is set to true" text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletClientCertificate" - flag: "RotateKubeletClientCertificate"
@ -275,7 +275,7 @@ groups:
- id: 2.1.15 - id: 2.1.15
text: "Ensure that the RotateKubeletServerCertificate argument is set to true" text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
audit: "ps -ef | grep $kubeletbin | grep -v grep" audit: "ps -fC $kubeletbin"
tests: tests:
test_items: test_items:
- flag: "RotateKubeletServerCertificate" - flag: "RotateKubeletServerCertificate"