|
|
|
@ -10,7 +10,7 @@ groups:
|
|
|
|
|
checks:
|
|
|
|
|
- id: 2.1.1
|
|
|
|
|
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--allow-privileged"
|
|
|
|
@ -29,7 +29,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.2
|
|
|
|
|
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--anonymous-auth"
|
|
|
|
@ -48,7 +48,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.3
|
|
|
|
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--authorization-mode"
|
|
|
|
@ -67,7 +67,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.4
|
|
|
|
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--client-ca-file"
|
|
|
|
@ -83,7 +83,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.5
|
|
|
|
|
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
@ -102,7 +102,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.6
|
|
|
|
|
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--streaming-connection-idle-timeout"
|
|
|
|
@ -121,7 +121,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.7
|
|
|
|
|
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--protect-kernel-defaults"
|
|
|
|
@ -140,7 +140,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.8
|
|
|
|
|
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
bin_op: or
|
|
|
|
|
test_items:
|
|
|
|
@ -160,7 +160,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.9
|
|
|
|
|
text: "Ensure that the --keep-terminated-pod-volumes argument is set to false (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--keep-terminated-pod-volumes"
|
|
|
|
@ -179,7 +179,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.10
|
|
|
|
|
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--hostname-override"
|
|
|
|
@ -195,7 +195,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.11
|
|
|
|
|
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--event-qps"
|
|
|
|
@ -214,7 +214,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.12
|
|
|
|
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--tls-cert-file"
|
|
|
|
@ -235,7 +235,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.13
|
|
|
|
|
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "--cadvisor-port"
|
|
|
|
@ -254,7 +254,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.14
|
|
|
|
|
text: "Ensure that the RotateKubeletClientCertificate argument is set to true"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "RotateKubeletClientCertificate"
|
|
|
|
@ -274,7 +274,7 @@ groups:
|
|
|
|
|
|
|
|
|
|
- id: 2.1.15
|
|
|
|
|
text: "Ensure that the RotateKubeletServerCertificate argument is set to true"
|
|
|
|
|
audit: "ps -ef | grep $kubeletbin | grep -v grep"
|
|
|
|
|
audit: "ps -fC $kubeletbin"
|
|
|
|
|
tests:
|
|
|
|
|
test_items:
|
|
|
|
|
- flag: "RotateKubeletServerCertificate"
|
|
|
|
|