mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-22 16:18:07 +00:00
Add OCP 3.10 benchmarks.
This commit is contained in:
parent
42ed8628de
commit
e899e941f7
35
cfg/ocp-3.10/config.yaml
Normal file
35
cfg/ocp-3.10/config.yaml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
## Controls Files.
|
||||||
|
# These are YAML files that hold all the details for running checks.
|
||||||
|
#
|
||||||
|
## Uncomment to use different control file paths.
|
||||||
|
# masterControls: ./cfg/master.yaml
|
||||||
|
# nodeControls: ./cfg/node.yaml
|
||||||
|
# federatedControls: ./cfg/federated.yaml
|
||||||
|
|
||||||
|
master:
|
||||||
|
apiserver:
|
||||||
|
bins:
|
||||||
|
- openshift start master api
|
||||||
|
defaultconf: /etc/origin/master/master-config.yaml
|
||||||
|
|
||||||
|
scheduler:
|
||||||
|
bins:
|
||||||
|
- openshift start master controllers
|
||||||
|
defaultconf: /etc/origin/master/master-config.yaml
|
||||||
|
|
||||||
|
controllermanager:
|
||||||
|
bins:
|
||||||
|
- openshift start master controllers
|
||||||
|
defaultconf: /etc/origin/master/master-config.yaml
|
||||||
|
|
||||||
|
etcd:
|
||||||
|
defaultconf: /etc/kubernetes/manifests/etcd.yaml
|
||||||
|
|
||||||
|
node:
|
||||||
|
kubelet:
|
||||||
|
defaultconf: /etc/kubernetes/kubelet.conf
|
||||||
|
defaultsvc: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
|
113
cfg/ocp-3.10/federated.yaml
Normal file
113
cfg/ocp-3.10/federated.yaml
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
---
|
||||||
|
controls:
|
||||||
|
id: 3
|
||||||
|
text: "Federated Deployments"
|
||||||
|
type: "federated"
|
||||||
|
groups:
|
||||||
|
- id: 3.1
|
||||||
|
text: "Federated API Server"
|
||||||
|
checks:
|
||||||
|
- id: 3.1.1
|
||||||
|
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.2
|
||||||
|
text: "Ensure that the --basic-auth-file argument is not set (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.3
|
||||||
|
text: "Ensure that the --insecure-allow-any-token argument is not set (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.4
|
||||||
|
text: "Ensure that the --insecure-bind-address argument is not set (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.5
|
||||||
|
text: "Ensure that the --insecure-port argument is set to 0 (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.6
|
||||||
|
text: "Ensure that the --secure-port argument is not set to 0 (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.7
|
||||||
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.8
|
||||||
|
text: "Ensure that the admission control policy is not set to AlwaysAdmit (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.9
|
||||||
|
text: "Ensure that the admission control policy is set to NamespaceLifecycle (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.10
|
||||||
|
text: "Ensure that the --audit-log-path argument is set as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.11
|
||||||
|
text: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.12
|
||||||
|
text: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.13
|
||||||
|
text: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.14
|
||||||
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.15
|
||||||
|
text: "Ensure that the --token-auth-file parameter is not set (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.16
|
||||||
|
text: "Ensure that the --service-account-lookup argument is set to true (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.17
|
||||||
|
text: "Ensure that the --service-account-key-file argument is set as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.18
|
||||||
|
text: "Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 3.1.19
|
||||||
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
|
- id: 3.2
|
||||||
|
text: "Federation Controller Manager"
|
||||||
|
checks:
|
||||||
|
- id: 3.2.1
|
||||||
|
text: "Ensure that the --profiling argument is set to false (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
1500
cfg/ocp-3.10/master.yaml
Normal file
1500
cfg/ocp-3.10/master.yaml
Normal file
File diff suppressed because it is too large
Load Diff
376
cfg/ocp-3.10/node.yaml
Normal file
376
cfg/ocp-3.10/node.yaml
Normal file
@ -0,0 +1,376 @@
|
|||||||
|
---
|
||||||
|
controls:
|
||||||
|
id: 2
|
||||||
|
text: "Worker Node Security Configuration"
|
||||||
|
type: "node"
|
||||||
|
groups:
|
||||||
|
- id: 2.1
|
||||||
|
text: "Kubelet"
|
||||||
|
checks:
|
||||||
|
- id: 2.1.1
|
||||||
|
text: "Ensure that the --allow-privileged argument is set to false (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.2
|
||||||
|
text: "Ensure that the --anonymous-auth argument is set to false (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.3
|
||||||
|
text: "Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored)"
|
||||||
|
audit: "grep -A1 authorization-mode /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "authorization-mode"
|
||||||
|
set: false
|
||||||
|
- flag: "authorization-mode: Webhook"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "Webhook"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove authorization-mode under
|
||||||
|
kubeletArguments in /etc/origin/node/node-config.yaml or set it to "Webhook".
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.4
|
||||||
|
text: "Ensure that the --client-ca-file argument is set as appropriate (Scored)"
|
||||||
|
audit: "grep -A1 client-ca-file /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "client-ca-file"
|
||||||
|
set: false
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove any configuration returned by the following:
|
||||||
|
grep -A1 client-ca-file /etc/origin/node/node-config.yaml
|
||||||
|
|
||||||
|
Reset to the OpenShift default.
|
||||||
|
See https://github.com/openshift/openshift-ansible/blob/release-3.10/roles/openshift_node_group/templates/node-config.yaml.j2#L65
|
||||||
|
The config file does not have this defined in kubeletArgument, but in PodManifestConfig.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.5
|
||||||
|
text: "Ensure that the --read-only-port argument is set to 0 (Scored)"
|
||||||
|
audit: "grep -A1 read-only-port /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "read-only-port"
|
||||||
|
set: false
|
||||||
|
- flag: "read-only-port: 0"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "0"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and removed so that the OpenShift default is applied.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.6
|
||||||
|
text: "Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored)"
|
||||||
|
audit: "grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "streaming-connection-idle-timeout"
|
||||||
|
set: false
|
||||||
|
- flag: "0"
|
||||||
|
set: false
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set the streaming-connection-timeout
|
||||||
|
value like the following in node-config.yaml.
|
||||||
|
|
||||||
|
kubeletArguments:
|
||||||
|
streaming-connection-idle-timeout:
|
||||||
|
- "5m"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.7
|
||||||
|
text: "Ensure that the --protect-kernel-defaults argument is set to true (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.8
|
||||||
|
text: "Ensure that the --make-iptables-util-chains argument is set to true (Scored)"
|
||||||
|
audit: "grep -A1 make-iptables-util-chains /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "make-iptables-util-chains"
|
||||||
|
set: false
|
||||||
|
- flag: "make-iptables-util-chains: true"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "true"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and reset make-iptables-util-chains to the OpenShift
|
||||||
|
default value of true.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
id: 2.1.9
|
||||||
|
text: "Ensure that the --keep-terminated-pod-volumeskeep-terminated-pod-volumes argument is set to false (Scored)"
|
||||||
|
audit: "grep -A1 keep-terminated-pod-volumes /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "keep-terminated-pod-volumes: false"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "false"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Reset to the OpenShift defaults
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.10
|
||||||
|
text: "Ensure that the --hostname-override argument is not set (Scored)"
|
||||||
|
type: "skip"
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.11
|
||||||
|
text: "Ensure that the --event-qps argument is set to 0 (Scored)"
|
||||||
|
audit: "grep -A1 event-qps /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "event-qps"
|
||||||
|
set: false
|
||||||
|
- flag: "event-qps: 0"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "0"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml set the event-qps argument to 0 in
|
||||||
|
the kubeletArguments section of.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.12
|
||||||
|
text: "Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored)"
|
||||||
|
audit: "grep -A1 cert-dir /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "/etc/origin/node/certificates"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "/etc/origin/node/certificates"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Reset to the OpenShift default values.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.13
|
||||||
|
text: "Ensure that the --cadvisor-port argument is set to 0 (Scored)"
|
||||||
|
audit: "grep -A1 cadvisor-port /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "cadvisor-port"
|
||||||
|
set: false
|
||||||
|
- flag: "cadvisor-port: 0"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "0"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and remove the cadvisor-port flag
|
||||||
|
if it is set in the kubeletArguments section.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.14
|
||||||
|
text: "Ensure that the RotateKubeletClientCertificate argument is not set to false (Scored)"
|
||||||
|
audit: "grep -B1 RotateKubeletClientCertificate=true /etc/origin/node/node-config.yaml"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "RotateKubeletClientCertificate=true"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "true"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletClientCertificate to true.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.1.15
|
||||||
|
text: "Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
|
||||||
|
audit: "grep -B1 RotateKubeletServerCertificate=true /etc/origin/node/node-config.yaml"
|
||||||
|
test:
|
||||||
|
test_items:
|
||||||
|
- flag: "RotateKubeletServerCertificate=true"
|
||||||
|
compare:
|
||||||
|
op: has
|
||||||
|
value: "true"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Edit the Openshift node config file /etc/origin/node/node-config.yaml and set RotateKubeletServerCertificate to true.
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
|
||||||
|
- id: 2.2
|
||||||
|
text: "Configuration Files"
|
||||||
|
checks:
|
||||||
|
- id: 2.2.1
|
||||||
|
text: "Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Scored)"
|
||||||
|
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.2
|
||||||
|
text: "Ensure that the kubelet.conf file ownership is set to root:root (Scored)"
|
||||||
|
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "root:root"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: root:root
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chown root:root /etc/origin/node/node.kubeconfig
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.3
|
||||||
|
text: "Ensure that the kubelet service file permissions are set to 644 or more restrictive (Scored)"
|
||||||
|
audit: "stat -c %a /etc/systemd/system/atomic-openshift-node.service"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chmod 644 /etc/systemd/system/atomic-openshift-node.service
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.4
|
||||||
|
text: "Ensure that the kubelet service file ownership is set to root:root (Scored)"
|
||||||
|
audit: "stat -c %U:%G /etc/systemd/system/atomic-openshift-node.service"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "root:root"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: root:root
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chown root:root /etc/systemd/system/atomic-openshift-node.service
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.5
|
||||||
|
text: "Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored)"
|
||||||
|
audit: "stat -c %a /etc/origin/node/node.kubeconfig"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chmod 644 /etc/origin/node/node.kubeconfig
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.6
|
||||||
|
text: "Ensure that the proxy kubeconfig file ownership is set to root:root (Scored)"
|
||||||
|
audit: "stat -c %U:%G /etc/origin/node/node.kubeconfig"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "root:root"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: root:root
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chown root:root /etc/origin/node/node.kubeconfig
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.7
|
||||||
|
text: "Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Scored)"
|
||||||
|
audit: "stat -c %a /etc/origin/node/client-ca.crt"
|
||||||
|
tests:
|
||||||
|
bin_op: or
|
||||||
|
test_items:
|
||||||
|
- flag: "644"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "644"
|
||||||
|
set: true
|
||||||
|
- flag: "640"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "640"
|
||||||
|
set: true
|
||||||
|
- flag: "600"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: "600"
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chmod 644 /etc/origin/node/client-ca.crt
|
||||||
|
scored: true
|
||||||
|
|
||||||
|
- id: 2.2.8
|
||||||
|
text: "Ensure that the client certificate authorities file ownership is set to root:root (Scored)"
|
||||||
|
audit: "stat -c %U:%G /etc/origin/node/client-ca.crt"
|
||||||
|
tests:
|
||||||
|
test_items:
|
||||||
|
- flag: "root:root"
|
||||||
|
compare:
|
||||||
|
op: eq
|
||||||
|
value: root:root
|
||||||
|
set: true
|
||||||
|
remediation: |
|
||||||
|
Run the below command on each worker node.
|
||||||
|
chown root:root /etc/origin/node/client-ca.crt
|
||||||
|
scored: true
|
@ -82,6 +82,12 @@ func (c *Check) Run() {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If check type is skip, force result to INFO.
|
||||||
|
if c.Type == "skip" {
|
||||||
|
c.State = INFO
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
var out bytes.Buffer
|
var out bytes.Buffer
|
||||||
var errmsgs string
|
var errmsgs string
|
||||||
|
|
||||||
|
@ -46,6 +46,7 @@ type Summary struct {
|
|||||||
Pass int `json:"total_pass"`
|
Pass int `json:"total_pass"`
|
||||||
Fail int `json:"total_fail"`
|
Fail int `json:"total_fail"`
|
||||||
Warn int `json:"total_warn"`
|
Warn int `json:"total_warn"`
|
||||||
|
Info int `json:"total_info"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewControls instantiates a new master Controls object.
|
// NewControls instantiates a new master Controls object.
|
||||||
@ -182,6 +183,8 @@ func summarize(controls *Controls, check *Check) {
|
|||||||
controls.Summary.Fail++
|
controls.Summary.Fail++
|
||||||
case WARN:
|
case WARN:
|
||||||
controls.Summary.Warn++
|
controls.Summary.Warn++
|
||||||
|
case INFO:
|
||||||
|
controls.Summary.Info++
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -144,6 +144,12 @@ type tests struct {
|
|||||||
func (ts *tests) execute(s string) *testOutput {
|
func (ts *tests) execute(s string) *testOutput {
|
||||||
finalOutput := &testOutput{}
|
finalOutput := &testOutput{}
|
||||||
|
|
||||||
|
// If no tests are defined return with empty finalOutput.
|
||||||
|
// This is usually the case for checks of type: "skip".
|
||||||
|
if ts == nil {
|
||||||
|
return finalOutput
|
||||||
|
}
|
||||||
|
|
||||||
res := make([]testOutput, len(ts.TestItems))
|
res := make([]testOutput, len(ts.TestItems))
|
||||||
if len(res) == 0 {
|
if len(res) == 0 {
|
||||||
return finalOutput
|
return finalOutput
|
||||||
|
@ -157,7 +157,7 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
|
|||||||
colors[check.WARN].Printf("== Remediations ==\n")
|
colors[check.WARN].Printf("== Remediations ==\n")
|
||||||
for _, g := range r.Groups {
|
for _, g := range r.Groups {
|
||||||
for _, c := range g.Checks {
|
for _, c := range g.Checks {
|
||||||
if c.State != check.PASS {
|
if c.State == check.FAIL || c.State == check.WARN {
|
||||||
fmt.Printf("%s %s\n", c.ID, c.Remediation)
|
fmt.Printf("%s %s\n", c.ID, c.Remediation)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -178,8 +178,8 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
colors[res].Printf("== Summary ==\n")
|
colors[res].Printf("== Summary ==\n")
|
||||||
fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks WARN\n",
|
fmt.Printf("%d checks PASS\n%d checks FAIL\n%d checks INFO\n%d checks WARN",
|
||||||
summary.Pass, summary.Fail, summary.Warn,
|
summary.Pass, summary.Fail, summary.Info, summary.Warn,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user