1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-12-18 12:48:08 +00:00

issue #234: implement test 2.2.8 (#343)

* implement test 2.2.8

* Nit: correct indentation

The indentation looked a bit wonky due to spaces vs tabs; hopefully this corrects it
This commit is contained in:
zilard 2019-07-10 11:43:15 +02:00 committed by Liz Rice
parent a0bed18054
commit d8528a1ec8
7 changed files with 67 additions and 9 deletions

View File

@ -462,8 +462,14 @@ groups:
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
type: manual tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>

View File

@ -453,8 +453,14 @@ groups:
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
type: manual tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>

View File

@ -434,8 +434,14 @@ groups:
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
type: manual tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>

View File

@ -430,9 +430,15 @@ groups:
scored: true scored: true
- id: 2.2.8 - id: 2.2.8
text: "Ensure that the client certificate authorities file ownership is set to root:root" text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %U:%G $ca-file; fi'" audit: "/bin/sh -c 'if test -e $kubeletcafile; then stat -c %U:%G $kubeletcafile; fi'"
type: manual tests:
test_items:
- flag: "root:root"
compare:
op: eq
value: root:root
set: true
remediation: | remediation: |
Run the following command to modify the ownership of the --client-ca-file . Run the following command to modify the ownership of the --client-ca-file .
chown root:root <filename> chown root:root <filename>

View File

@ -81,6 +81,8 @@ node:
defaultconf: /etc/kubernetes/config defaultconf: /etc/kubernetes/config
kubelet: kubelet:
cafile:
- "/etc/kubernetes/pki/ca.crt"
bins: bins:
- "hyperkube kubelet" - "hyperkube kubelet"
- "kubelet" - "kubelet"
@ -91,6 +93,7 @@ node:
defaultconf: "/var/lib/kubelet/config.yaml" defaultconf: "/var/lib/kubelet/config.yaml"
defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf" defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
defaultkubeconfig: "/etc/kubernetes/kubelet.conf" defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
defaultcafile: "/etc/kubernetes/pki/ca.crt"
proxy: proxy:
bins: bins:

View File

@ -85,6 +85,7 @@ func runChecks(nodetype check.NodeType) {
confmap := getConfigFiles(typeConf) confmap := getConfigFiles(typeConf)
svcmap := getServiceFiles(typeConf) svcmap := getServiceFiles(typeConf)
kubeconfmap := getKubeConfigFiles(typeConf) kubeconfmap := getKubeConfigFiles(typeConf)
cafilemap := getCaFile(typeConf)
// Variable substitutions. Replace all occurrences of variables in controls files. // Variable substitutions. Replace all occurrences of variables in controls files.
s := string(in) s := string(in)
@ -92,6 +93,7 @@ func runChecks(nodetype check.NodeType) {
s = makeSubstitutions(s, "conf", confmap) s = makeSubstitutions(s, "conf", confmap)
s = makeSubstitutions(s, "svc", svcmap) s = makeSubstitutions(s, "svc", svcmap)
s = makeSubstitutions(s, "kubeconfig", kubeconfmap) s = makeSubstitutions(s, "kubeconfig", kubeconfmap)
s = makeSubstitutions(s, "cafile", cafilemap)
controls, err := check.NewControls(nodetype, []byte(s)) controls, err := check.NewControls(nodetype, []byte(s))
if err != nil { if err != nil {

View File

@ -258,6 +258,35 @@ func getKubeConfigFiles(v *viper.Viper) map[string]string {
return kubeconfigmap return kubeconfigmap
} }
// getCaFile finds which of the set of client certificate authorities files exist
func getCaFile(v *viper.Viper) map[string]string {
cafilemap := make(map[string]string)
for _, component := range v.GetStringSlice("components") {
s := v.Sub(component)
if s == nil {
continue
}
cafile := findConfigFile(s.GetStringSlice("cafile"))
if cafile == "" {
if s.IsSet("defaultcafile") {
cafile = s.GetString("defaultcafile")
glog.V(2).Info(fmt.Sprintf("Using default client CA file name '%s' for component %s", cafile, component))
} else {
glog.V(2).Info(fmt.Sprintf("Missing client CA file for %s", component))
cafile = component
}
} else {
glog.V(2).Info(fmt.Sprintf("Component %s uses client CA file '%s'", component, cafile))
}
cafilemap[component] = cafile
}
return cafilemap
}
// verifyBin checks that the binary specified is running // verifyBin checks that the binary specified is running
func verifyBin(bin string) bool { func verifyBin(bin string) bool {