arno/kube-bench
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-22 16:18:07 +00:00
Code Issues Releases Wiki Activity

Add config checks for permissions stricter that 644 to definition files.

Browse Source
This commit is contained in:
Abubakr-Sadik Nii Nai Davis 2017-08-15 15:47:01 +00:00
parent 7c7d477d78
commit e6f2b4d4fe
3 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
cfg/master.yaml
View File

@ -599,12 +599,18 @@ groups:
# audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" # audit: "/bin/bash -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'" audit: "/bin/sh -c 'if test -e $apiserverconf; then stat -c %a $apiserverconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $apiserverconf" \nFor example, chmod 644 $apiserverconf"
scored: true scored: true
@ -627,12 +633,18 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $config"
scored: true scored: true
@ -655,12 +667,18 @@ groups:
text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the scheduler file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'" audit: "/bin/sh -c 'if test -e $schedulerconf; then stat -c %a $schedulerconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $schedulerconf" \nFor example, chmod 644 $schedulerconf"
scored: true scored: true
@ -683,12 +701,18 @@ groups:
text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the etcd.conf file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'" audit: "/bin/sh -c 'if test -e $etcdconf; then stat -c %a $etcdconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $etcdconf" \nFor example, chmod 644 $etcdconf"
scored: true scored: true
@ -711,12 +735,18 @@ groups:
text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the flanneld file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'" audit: "/bin/sh -c 'if test -e $flanneldconf; then stat -c %a $flanneldconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: "644" value: "644"
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the master node. remediation: "Run the below command (based on the file location on your system) on the master node.
\nFor example, chmod 644 $flanneldconf" \nFor example, chmod 644 $flanneldconf"
scored: true scored: true

33
cfg/node.yaml
View File

@ -223,8 +223,17 @@ groups:
text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the config file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'" audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $config" \nFor example, chmod 644 $config"
@ -248,12 +257,18 @@ groups:
text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the kubelet file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'" audit: "/bin/sh -c 'if test -e $kubeletconf; then stat -c %a $kubeletconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare: compare:
op: eq op: eq
value: 644 value: 644
set: true set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $kubeletconf" \nFor example, chmod 644 $kubeletconf"
scored: true scored: true
@ -273,8 +288,17 @@ groups:
text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)" text: "Ensure that the proxy file permissions are set to 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'" audit: "/bin/sh -c 'if test -e $proxyconf; then stat -c %a $proxyconf; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the below command (based on the file location on your system) on the each worker node. remediation: "Run the below command (based on the file location on your system) on the each worker node.
\nFor example, chmod 644 $proxyconf" \nFor example, chmod 644 $proxyconf"
@ -296,8 +320,17 @@ groups:
644 or more restrictive (Scored)" 644 or more restrictive (Scored)"
audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'" audit: "/bin/sh -c 'if test -e $ca-file; then stat -c %a $ca-file; fi'"
tests: tests:
bin_op: or
test_items: test_items:
- flag: "644" - flag: "644"
compare:
op: eq
value: "644"
set: true
- flag: "600"
compare:
op: eq
value: "600"
set: true set: true
remediation: "Run the following command to modify the file permissions of the --client-ca-file remediation: "Run the following command to modify the file permissions of the --client-ca-file
\nchmod 644 <filename>" \nchmod 644 <filename>"

6
cmd/util.go
View File

@ -69,7 +69,8 @@ func verifyConf(confPath ...string) {
for _, c := range confPath { for _, c := range confPath {
if _, err := os.Stat(c); err != nil && os.IsNotExist(err) { if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
continueWithError(err, "") e := fmt.Errorf("configuration file %s not found", c)
continueWithError(e, "")
missing += c + ", " missing += c + ", "
} }
} }
@ -93,8 +94,9 @@ func verifyBin(binPath ...string) {
bin = bin + "," + b bin = bin + "," + b
binSlice = append(binSlice, b) binSlice = append(binSlice, b)
if err != nil { if err != nil {
e := fmt.Errorf("executable file %s not found", b)
continueWithError(e, "")
missing += b + ", " missing += b + ", "
continueWithError(err, "")
} }
} }
bin = strings.Trim(bin, ",") bin = strings.Trim(bin, ",")