mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-23 00:28:07 +00:00
161 lines
3.5 KiB
Plaintext
161 lines
3.5 KiB
Plaintext
---
|
|
controls:
|
|
id: 1
|
|
text: "Master Checks"
|
|
type: "master"
|
|
groups:
|
|
- id: 1.1
|
|
text: "Kube-apiserver"
|
|
checks:
|
|
- id: 0
|
|
text: "flag is set"
|
|
tests:
|
|
test_items:
|
|
- flag: "--allow-privileged"
|
|
set: true
|
|
|
|
- id: 1
|
|
text: "flag is not set"
|
|
tests:
|
|
test_item:
|
|
- flag: "--basic-auth"
|
|
set: false
|
|
|
|
- id: 2
|
|
text: "flag value is set to some value"
|
|
tests:
|
|
test_items:
|
|
- flag: "--insecure-port"
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
set: true
|
|
|
|
- id: 3
|
|
text: "flag value is greater than or equal some number"
|
|
tests:
|
|
test_items:
|
|
- flag: "--audit-log-maxage"
|
|
compare:
|
|
op: gte
|
|
value: 30
|
|
set: true
|
|
|
|
- id: 4
|
|
text: "flag value is less than some number"
|
|
tests:
|
|
test_items:
|
|
- flag: "--max-backlog"
|
|
compare:
|
|
op: lt
|
|
value: 30
|
|
set: true
|
|
|
|
- id: 5
|
|
text: "flag value does not have some value"
|
|
tests:
|
|
test_items:
|
|
- flag: "--admission-control"
|
|
compare:
|
|
op: nothave
|
|
value: AlwaysAdmit
|
|
set: true
|
|
|
|
- id: 6
|
|
text: "test AND binary operation"
|
|
tests:
|
|
bin_op: and
|
|
test_items:
|
|
- flag: "--kubelet-client-certificate"
|
|
set: true
|
|
- flag: "--kubelet-clientkey"
|
|
set: true
|
|
|
|
- id: 7
|
|
text: "test OR binary operation"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "--secure-port"
|
|
compare:
|
|
op: eq
|
|
value: 0
|
|
set: true
|
|
-
|
|
flag: "--secure-port"
|
|
set: false
|
|
|
|
- id: 8
|
|
text: "test flag with arbitrary text"
|
|
tests:
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: "644"
|
|
set: true
|
|
|
|
- id: 9
|
|
text: "test permissions"
|
|
audit: "/bin/sh -c 'if test -e $config; then stat -c %a $config; fi'"
|
|
tests:
|
|
bin_op: or
|
|
test_items:
|
|
- flag: "644"
|
|
compare:
|
|
op: eq
|
|
value: "644"
|
|
set: true
|
|
- flag: "640"
|
|
compare:
|
|
op: eq
|
|
value: "640"
|
|
set: true
|
|
- flag: "600"
|
|
compare:
|
|
op: eq
|
|
value: "600"
|
|
set: true
|
|
|
|
- id: 10
|
|
text: "flag value includes some value in a comma-separated list, value is last in list"
|
|
tests:
|
|
test_items:
|
|
- flag: "--admission-control"
|
|
compare:
|
|
op: has
|
|
value: RBAC
|
|
set: true
|
|
|
|
- id: 11
|
|
text: "flag value includes some value in a comma-separated list, value is first in list"
|
|
tests:
|
|
test_items:
|
|
- flag: "--admission-control"
|
|
compare:
|
|
op: has
|
|
value: WebHook
|
|
set: true
|
|
|
|
- id: 12
|
|
text: "flag value includes some value in a comma-separated list, value middle of list"
|
|
tests:
|
|
test_items:
|
|
- flag: "--admission-control"
|
|
compare:
|
|
op: has
|
|
value: Something
|
|
set: true
|
|
|
|
- id: 13
|
|
text: "flag value includes some value in a comma-separated list, value only one in list"
|
|
tests:
|
|
test_items:
|
|
- flag: "--admission-control"
|
|
compare:
|
|
op: has
|
|
value: Something
|
|
set: true
|
|
|
|
|